diff --git a/apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml b/apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml index eb89e2d86e..f5c76875ff 100644 --- a/apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml +++ b/apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2020-top25': true cwe2021-top25': true cwe2022-top25': true diff --git a/apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml b/apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml index e4706a9434..56ae996c29 100644 --- a/apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml +++ b/apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2020-top25': true cwe2021-top25': true cwe2022-top25': true diff --git a/apex/lang/security/ncino/dml/DmlNativeStatements.yaml b/apex/lang/security/ncino/dml/DmlNativeStatements.yaml index 3c892d3bd6..41d28f6546 100644 --- a/apex/lang/security/ncino/dml/DmlNativeStatements.yaml +++ b/apex/lang/security/ncino/dml/DmlNativeStatements.yaml @@ -10,6 +10,8 @@ rules: owasp: - A01:2021 - Broken Access Control - A04:2021 - Insecure Design + - A01:2025 - Broken Access Control + - A06:2025 - Insecure Design impact: HIGH likelihood: LOW confidence: LOW diff --git a/apex/lang/security/ncino/encryption/BadCrypto.yaml b/apex/lang/security/ncino/encryption/BadCrypto.yaml index 38690ec108..73e9a95301 100644 --- a/apex/lang/security/ncino/encryption/BadCrypto.yaml +++ b/apex/lang/security/ncino/encryption/BadCrypto.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-321: Use of Hard-coded Cryptographic Key' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures impact: HIGH likelihood: LOW confidence: LOW diff --git a/apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml b/apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml index 05f217056f..49059e3378 100644 --- a/apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml +++ b/apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/943.html impact: HIGH diff --git a/apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml b/apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml index eda51746fa..452326fdc6 100644 --- a/apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml +++ b/apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/943.html impact: HIGH diff --git a/apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml b/apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml index 83cfbcd1ac..4cc28d9d9d 100644 --- a/apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml +++ b/apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-284: Improper Access Control' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm - https://cwe.mitre.org/data/definitions/284.html diff --git a/bash/curl/security/curl-eval.yaml b/bash/curl/security/curl-eval.yaml index a6f96ef45a..1ab6888485 100644 --- a/bash/curl/security/curl-eval.yaml +++ b/bash/curl/security/curl-eval.yaml @@ -10,6 +10,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" category: security diff --git a/bash/curl/security/curl-pipe-bash.yaml b/bash/curl/security/curl-pipe-bash.yaml index 1f5434d43f..d0ea419962 100644 --- a/bash/curl/security/curl-pipe-bash.yaml +++ b/bash/curl/security/curl-pipe-bash.yaml @@ -12,6 +12,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" category: security diff --git a/bash/lang/security/ifs-tampering.yaml b/bash/lang/security/ifs-tampering.yaml index 6aca4b9a7d..014b116c2d 100644 --- a/bash/lang/security/ifs-tampering.yaml +++ b/bash/lang/security/ifs-tampering.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/c/lang/security/double-free.yaml b/c/lang/security/double-free.yaml index a10f530ef2..9e3debe565 100644 --- a/c/lang/security/double-free.yaml +++ b/c/lang/security/double-free.yaml @@ -29,6 +29,7 @@ rules: owasp: - A03:2021 - Injection - A01:2017 - Injection + - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/415.html - https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory diff --git a/c/lang/security/info-leak-on-non-formatted-string.yaml b/c/lang/security/info-leak-on-non-formatted-string.yaml index 699ee697ab..229284e7a2 100644 --- a/c/lang/security/info-leak-on-non-formatted-string.yaml +++ b/c/lang/security/info-leak-on-non-formatted-string.yaml @@ -13,6 +13,7 @@ rules: confidence: LOW owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW diff --git a/c/lang/security/insecure-use-memset.yaml b/c/lang/security/insecure-use-memset.yaml index 14c20634fb..d3c3e32849 100644 --- a/c/lang/security/insecure-use-memset.yaml +++ b/c/lang/security/insecure-use-memset.yaml @@ -22,6 +22,7 @@ rules: - 'CWE-14: Compiler Removal of Code to Clear Buffers' owasp: - "A04:2021 - Insecure Design" + - A06:2025 - Insecure Design references: - https://cwe.mitre.org/data/definitions/14.html - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ diff --git a/clojure/lang/security/command-injection-shell-call.yaml b/clojure/lang/security/command-injection-shell-call.yaml index 176058fef2..2b0ef782ea 100644 --- a/clojure/lang/security/command-injection-shell-call.yaml +++ b/clojure/lang/security/command-injection-shell-call.yaml @@ -7,6 +7,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" diff --git a/clojure/lang/security/documentbuilderfactory-xxe.yaml b/clojure/lang/security/documentbuilderfactory-xxe.yaml index 18065817c0..2c569d5872 100644 --- a/clojure/lang/security/documentbuilderfactory-xxe.yaml +++ b/clojure/lang/security/documentbuilderfactory-xxe.yaml @@ -9,6 +9,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/clojure/lang/security/use-of-md5.yaml b/clojure/lang/security/use-of-md5.yaml index c5440175bd..ba916308f2 100644 --- a/clojure/lang/security/use-of-md5.yaml +++ b/clojure/lang/security/use-of-md5.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - "CWE-328: Use of Weak Hash" author: Gabriel Marquet diff --git a/clojure/lang/security/use-of-sha1.yaml b/clojure/lang/security/use-of-sha1.yaml index 05fdcb9d22..e82678848f 100644 --- a/clojure/lang/security/use-of-sha1.yaml +++ b/clojure/lang/security/use-of-sha1.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" - "CWE-328: Use of Weak Hash" diff --git a/clojure/security/clojure-read-string/read-string-unsafe.yaml b/clojure/security/clojure-read-string/read-string-unsafe.yaml index 040c27e84a..caf902a5a4 100644 --- a/clojure/security/clojure-read-string/read-string-unsafe.yaml +++ b/clojure/security/clojure-read-string/read-string-unsafe.yaml @@ -12,6 +12,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' likelihood: MEDIUM diff --git a/csharp/dotnet/security/audit/ldap-injection.yaml b/csharp/dotnet/security/audit/ldap-injection.yaml index 45f293cf59..41ff769d81 100644 --- a/csharp/dotnet/security/audit/ldap-injection.yaml +++ b/csharp/dotnet/security/audit/ldap-injection.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection/ - https://cwe.mitre.org/data/definitions/90 diff --git a/csharp/dotnet/security/audit/mass-assignment.yaml b/csharp/dotnet/security/audit/mass-assignment.yaml index 57c185a967..6dc2775269 100644 --- a/csharp/dotnet/security/audit/mass-assignment.yaml +++ b/csharp/dotnet/security/audit/mass-assignment.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://cwe.mitre.org/data/definitions/915.html - https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md diff --git a/csharp/dotnet/security/audit/misconfigured-lockout-option.yaml b/csharp/dotnet/security/audit/misconfigured-lockout-option.yaml index 12caa54d5e..5a2ea119df 100644 --- a/csharp/dotnet/security/audit/misconfigured-lockout-option.yaml +++ b/csharp/dotnet/security/audit/misconfigured-lockout-option.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-307: Improper Restriction of Excessive Authentication Attempts' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - https://cwe.mitre.org/data/definitions/307.html diff --git a/csharp/dotnet/security/audit/missing-or-broken-authorization.yaml b/csharp/dotnet/security/audit/missing-or-broken-authorization.yaml index ffc60e2213..e40f218b32 100644 --- a/csharp/dotnet/security/audit/missing-or-broken-authorization.yaml +++ b/csharp/dotnet/security/audit/missing-or-broken-authorization.yaml @@ -18,6 +18,7 @@ rules: cwe2023-top25: true owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/862.html diff --git a/csharp/dotnet/security/audit/open-directory-listing.yaml b/csharp/dotnet/security/audit/open-directory-listing.yaml index fd182b8d1a..2814656b25 100644 --- a/csharp/dotnet/security/audit/open-directory-listing.yaml +++ b/csharp/dotnet/security/audit/open-directory-listing.yaml @@ -14,6 +14,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/548.html - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ diff --git a/csharp/dotnet/security/audit/razor-use-of-htmlstring.yaml b/csharp/dotnet/security/audit/razor-use-of-htmlstring.yaml index c66a62ac2f..21f789b38c 100644 --- a/csharp/dotnet/security/audit/razor-use-of-htmlstring.yaml +++ b/csharp/dotnet/security/audit/razor-use-of-htmlstring.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/116.html - https://owasp.org/Top10/A03_2021-Injection/ diff --git a/csharp/dotnet/security/audit/xpath-injection.yaml b/csharp/dotnet/security/audit/xpath-injection.yaml index bec118a122..45bf8ab301 100644 --- a/csharp/dotnet/security/audit/xpath-injection.yaml +++ b/csharp/dotnet/security/audit/xpath-injection.yaml @@ -12,6 +12,7 @@ rules: - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection/ - https://cwe.mitre.org/data/definitions/643.html diff --git a/csharp/dotnet/security/mvc-missing-antiforgery.yaml b/csharp/dotnet/security/mvc-missing-antiforgery.yaml index 48fc6b9d7f..449dd64bc1 100644 --- a/csharp/dotnet/security/mvc-missing-antiforgery.yaml +++ b/csharp/dotnet/security/mvc-missing-antiforgery.yaml @@ -16,6 +16,7 @@ rules: cwe2022-top25: true owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests diff --git a/csharp/dotnet/security/net-webconfig-debug.yaml b/csharp/dotnet/security/net-webconfig-debug.yaml index f901a77b9c..fe9fc4e1b7 100644 --- a/csharp/dotnet/security/net-webconfig-debug.yaml +++ b/csharp/dotnet/security/net-webconfig-debug.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-11: ASP.NET Misconfiguration: Creating Debug Binary' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/ - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx diff --git a/csharp/dotnet/security/razor-template-injection.yaml b/csharp/dotnet/security/razor-template-injection.yaml index 374f3cf0d3..fb1c285847 100644 --- a/csharp/dotnet/security/razor-template-injection.yaml +++ b/csharp/dotnet/security/razor-template-injection.yaml @@ -13,6 +13,7 @@ rules: cwe2022-top25: true owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ subcategory: diff --git a/csharp/dotnet/security/use_deprecated_cipher_algorithm.yaml b/csharp/dotnet/security/use_deprecated_cipher_algorithm.yaml index b97a1cee78..45d140ebce 100644 --- a/csharp/dotnet/security/use_deprecated_cipher_algorithm.yaml +++ b/csharp/dotnet/security/use_deprecated_cipher_algorithm.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks diff --git a/csharp/dotnet/security/use_ecb_mode.yaml b/csharp/dotnet/security/use_ecb_mode.yaml index 38fde97501..0e4f4c0476 100644 --- a/csharp/dotnet/security/use_ecb_mode.yaml +++ b/csharp/dotnet/security/use_ecb_mode.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0 - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0 diff --git a/csharp/dotnet/security/use_weak_rng_for_keygeneration.yaml b/csharp/dotnet/security/use_weak_rng_for_keygeneration.yaml index 59414d3811..63e5a90673 100644 --- a/csharp/dotnet/security/use_weak_rng_for_keygeneration.yaml +++ b/csharp/dotnet/security/use_weak_rng_for_keygeneration.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0 diff --git a/csharp/dotnet/security/use_weak_rsa_encryption_padding.yaml b/csharp/dotnet/security/use_weak_rsa_encryption_padding.yaml index bc44178bdc..e27173e220 100644 --- a/csharp/dotnet/security/use_weak_rsa_encryption_padding.yaml +++ b/csharp/dotnet/security/use_weak_rsa_encryption_padding.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-780: Use of RSA Algorithm without OAEP' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter diff --git a/csharp/dotnet/security/web-config-insecure-cookie-settings.yaml b/csharp/dotnet/security/web-config-insecure-cookie-settings.yaml index dc7df820bf..9f36396796 100644 --- a/csharp/dotnet/security/web-config-insecure-cookie-settings.yaml +++ b/csharp/dotnet/security/web-config-insecure-cookie-settings.yaml @@ -12,6 +12,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL diff --git a/csharp/lang/best-practice/structured-logging.yaml b/csharp/lang/best-practice/structured-logging.yaml index b7e32d657f..c3b1fd4539 100644 --- a/csharp/lang/best-practice/structured-logging.yaml +++ b/csharp/lang/best-practice/structured-logging.yaml @@ -34,6 +34,7 @@ rules: - 'CWE-117: Improper Output Neutralization for Logs' owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures technology: - .net - serilog diff --git a/csharp/lang/security/ad/jwt-tokenvalidationparameters-no-expiry-validation.yaml b/csharp/lang/security/ad/jwt-tokenvalidationparameters-no-expiry-validation.yaml index a69c7db281..b23a56a57c 100644 --- a/csharp/lang/security/ad/jwt-tokenvalidationparameters-no-expiry-validation.yaml +++ b/csharp/lang/security/ad/jwt-tokenvalidationparameters-no-expiry-validation.yaml @@ -28,6 +28,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-613: Insufficient Session Expiration' references: diff --git a/csharp/lang/security/cryptography/X509-subject-name-validation.yaml b/csharp/lang/security/cryptography/X509-subject-name-validation.yaml index b693de8bb1..1871c4eee9 100644 --- a/csharp/lang/security/cryptography/X509-subject-name-validation.yaml +++ b/csharp/lang/security/cryptography/X509-subject-name-validation.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8 category: security diff --git a/csharp/lang/security/cryptography/X509Certificate2-privkey.yaml b/csharp/lang/security/cryptography/X509Certificate2-privkey.yaml index e2557f061f..f4f561a4aa 100644 --- a/csharp/lang/security/cryptography/X509Certificate2-privkey.yaml +++ b/csharp/lang/security/cryptography/X509Certificate2-privkey.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.privatekey category: security diff --git a/csharp/lang/security/cryptography/unsigned-security-token.yaml b/csharp/lang/security/cryptography/unsigned-security-token.yaml index e702960548..679eaa41ee 100644 --- a/csharp/lang/security/cryptography/unsigned-security-token.yaml +++ b/csharp/lang/security/cryptography/unsigned-security-token.yaml @@ -15,6 +15,7 @@ rules: - csharp owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-347: Improper Verification of Cryptographic Signature' references: diff --git a/csharp/lang/security/filesystem/unsafe-path-combine.yaml b/csharp/lang/security/filesystem/unsafe-path-combine.yaml index 112b3b4664..846110e0ae 100644 --- a/csharp/lang/security/filesystem/unsafe-path-combine.yaml +++ b/csharp/lang/security/filesystem/unsafe-path-combine.yaml @@ -52,6 +52,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/csharp/lang/security/http/http-listener-wildcard-bindings.yaml b/csharp/lang/security/http/http-listener-wildcard-bindings.yaml index 778e6996dc..a5772f0284 100644 --- a/csharp/lang/security/http/http-listener-wildcard-bindings.yaml +++ b/csharp/lang/security/http/http-listener-wildcard-bindings.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0 category: security diff --git a/csharp/lang/security/injections/os-command.yaml b/csharp/lang/security/injections/os-command.yaml index 5d9631f30a..a5ce94f71e 100644 --- a/csharp/lang/security/injections/os-command.yaml +++ b/csharp/lang/security/injections/os-command.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security diff --git a/csharp/lang/security/insecure-deserialization/binary-formatter.yaml b/csharp/lang/security/insecure-deserialization/binary-formatter.yaml index f83c06f0c8..e314d2bf8b 100644 --- a/csharp/lang/security/insecure-deserialization/binary-formatter.yaml +++ b/csharp/lang/security/insecure-deserialization/binary-formatter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide category: security diff --git a/csharp/lang/security/insecure-deserialization/data-contract-resolver.yaml b/csharp/lang/security/insecure-deserialization/data-contract-resolver.yaml index 58f61c4071..cf82caaa6a 100644 --- a/csharp/lang/security/insecure-deserialization/data-contract-resolver.yaml +++ b/csharp/lang/security/insecure-deserialization/data-contract-resolver.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide category: security diff --git a/csharp/lang/security/insecure-deserialization/fast-json.yaml b/csharp/lang/security/insecure-deserialization/fast-json.yaml index 2c4fcc68ce..a3c81d5997 100644 --- a/csharp/lang/security/insecure-deserialization/fast-json.yaml +++ b/csharp/lang/security/insecure-deserialization/fast-json.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://github.com/mgholam/fastJSON#security-warning-update category: security diff --git a/csharp/lang/security/insecure-deserialization/fs-pickler.yaml b/csharp/lang/security/insecure-deserialization/fs-pickler.yaml index 4e2c37c061..9d3e300c01 100644 --- a/csharp/lang/security/insecure-deserialization/fs-pickler.yaml +++ b/csharp/lang/security/insecure-deserialization/fs-pickler.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution category: security diff --git a/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.yaml b/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.yaml index 07ab9bb5b7..c296075621 100644 --- a/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.yaml +++ b/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0 - https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html diff --git a/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml b/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml index fb989a13d8..3ecb5ba6b2 100644 --- a/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml +++ b/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks category: security diff --git a/csharp/lang/security/insecure-deserialization/los-formatter.yaml b/csharp/lang/security/insecure-deserialization/los-formatter.yaml index 1c73160f51..db4b9913a9 100644 --- a/csharp/lang/security/insecure-deserialization/los-formatter.yaml +++ b/csharp/lang/security/insecure-deserialization/los-formatter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8 category: security diff --git a/csharp/lang/security/insecure-deserialization/net-data-contract.yaml b/csharp/lang/security/insecure-deserialization/net-data-contract.yaml index fcc90ceb56..da077d8708 100644 --- a/csharp/lang/security/insecure-deserialization/net-data-contract.yaml +++ b/csharp/lang/security/insecure-deserialization/net-data-contract.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security category: security diff --git a/csharp/lang/security/insecure-deserialization/newtonsoft.yaml b/csharp/lang/security/insecure-deserialization/newtonsoft.yaml index 8f86fd2a5d..f990599065 100644 --- a/csharp/lang/security/insecure-deserialization/newtonsoft.yaml +++ b/csharp/lang/security/insecure-deserialization/newtonsoft.yaml @@ -30,6 +30,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks technology: diff --git a/csharp/lang/security/insecure-deserialization/soap-formatter.yaml b/csharp/lang/security/insecure-deserialization/soap-formatter.yaml index 50c9231e84..9c25c44598 100644 --- a/csharp/lang/security/insecure-deserialization/soap-formatter.yaml +++ b/csharp/lang/security/insecure-deserialization/soap-formatter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks category: security diff --git a/csharp/lang/security/memory/memory-marshal-create-span.yaml b/csharp/lang/security/memory/memory-marshal-create-span.yaml index c4abb5f8f1..f9d25ee553 100644 --- a/csharp/lang/security/memory/memory-marshal-create-span.yaml +++ b/csharp/lang/security/memory/memory-marshal-create-span.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-125: Out-of-bounds Read' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0 - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0 diff --git a/csharp/lang/security/missing-hsts-header.yaml b/csharp/lang/security/missing-hsts-header.yaml index c2659579af..0313c2aee2 100644 --- a/csharp/lang/security/missing-hsts-header.yaml +++ b/csharp/lang/security/missing-hsts-header.yaml @@ -37,6 +37,7 @@ rules: - dotnet owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' references: diff --git a/csharp/lang/security/open-redirect.yaml b/csharp/lang/security/open-redirect.yaml index 8f68404cdd..d51f3202c3 100644 --- a/csharp/lang/security/open-redirect.yaml +++ b/csharp/lang/security/open-redirect.yaml @@ -37,6 +37,7 @@ rules: - https://cwe.mitre.org/data/definitions/601.html owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM diff --git a/csharp/lang/security/sqli/csharp-sqli.yaml b/csharp/lang/security/sqli/csharp-sqli.yaml index a229710c32..4c7706618f 100644 --- a/csharp/lang/security/sqli/csharp-sqli.yaml +++ b/csharp/lang/security/sqli/csharp-sqli.yaml @@ -47,6 +47,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" diff --git a/csharp/lang/security/ssrf/http-client.yaml b/csharp/lang/security/ssrf/http-client.yaml index d362c70e33..43c53d1809 100644 --- a/csharp/lang/security/ssrf/http-client.yaml +++ b/csharp/lang/security/ssrf/http-client.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/csharp/lang/security/ssrf/rest-client.yaml b/csharp/lang/security/ssrf/rest-client.yaml index c3847f2d99..8465b25190 100644 --- a/csharp/lang/security/ssrf/rest-client.yaml +++ b/csharp/lang/security/ssrf/rest-client.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/csharp/lang/security/ssrf/web-client.yaml b/csharp/lang/security/ssrf/web-client.yaml index 28de0fec2d..ccbaa030b5 100644 --- a/csharp/lang/security/ssrf/web-client.yaml +++ b/csharp/lang/security/ssrf/web-client.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/csharp/lang/security/ssrf/web-request.yaml b/csharp/lang/security/ssrf/web-request.yaml index 38746e6242..f4f2225386 100644 --- a/csharp/lang/security/ssrf/web-request.yaml +++ b/csharp/lang/security/ssrf/web-request.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/918.html - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html diff --git a/csharp/lang/security/stacktrace-disclosure.yaml b/csharp/lang/security/stacktrace-disclosure.yaml index a31d4b3598..246c9b2507 100644 --- a/csharp/lang/security/stacktrace-disclosure.yaml +++ b/csharp/lang/security/stacktrace-disclosure.yaml @@ -21,6 +21,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-209: Generation of Error Message Containing Sensitive Information' references: diff --git a/csharp/lang/security/xxe/xmldocument-unsafe-parser-override.yaml b/csharp/lang/security/xxe/xmldocument-unsafe-parser-override.yaml index 624f6ee6aa..f2c63dc725 100644 --- a/csharp/lang/security/xxe/xmldocument-unsafe-parser-override.yaml +++ b/csharp/lang/security/xxe/xmldocument-unsafe-parser-override.yaml @@ -34,6 +34,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/csharp/lang/security/xxe/xmlreadersettings-unsafe-parser-override.yaml b/csharp/lang/security/xxe/xmlreadersettings-unsafe-parser-override.yaml index 596a3a3334..bfe38bf50d 100644 --- a/csharp/lang/security/xxe/xmlreadersettings-unsafe-parser-override.yaml +++ b/csharp/lang/security/xxe/xmlreadersettings-unsafe-parser-override.yaml @@ -34,6 +34,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/csharp/lang/security/xxe/xmltextreader-unsafe-defaults.yaml b/csharp/lang/security/xxe/xmltextreader-unsafe-defaults.yaml index f56ade6fac..26422ac861 100644 --- a/csharp/lang/security/xxe/xmltextreader-unsafe-defaults.yaml +++ b/csharp/lang/security/xxe/xmltextreader-unsafe-defaults.yaml @@ -35,6 +35,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/csharp/razor/security/html-raw-json.yaml b/csharp/razor/security/html-raw-json.yaml index 9ed9d3a6a4..38129a0dff 100644 --- a/csharp/razor/security/html-raw-json.yaml +++ b/csharp/razor/security/html-raw-json.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/dockerfile/security/last-user-is-root.yaml b/dockerfile/security/last-user-is-root.yaml index 9619c80bc1..92c0474e3f 100644 --- a/dockerfile/security/last-user-is-root.yaml +++ b/dockerfile/security/last-user-is-root.yaml @@ -32,6 +32,7 @@ rules: confidence: MEDIUM owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: MEDIUM diff --git a/dockerfile/security/missing-user-entrypoint.yaml b/dockerfile/security/missing-user-entrypoint.yaml index 659ddaa77c..af56761a57 100644 --- a/dockerfile/security/missing-user-entrypoint.yaml +++ b/dockerfile/security/missing-user-entrypoint.yaml @@ -24,6 +24,7 @@ rules: confidence: MEDIUM owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/dockerfile/security/missing-user.yaml b/dockerfile/security/missing-user.yaml index 4b8a25e3b1..bf5a534844 100644 --- a/dockerfile/security/missing-user.yaml +++ b/dockerfile/security/missing-user.yaml @@ -26,6 +26,7 @@ rules: confidence: MEDIUM owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/dockerfile/security/no-sudo-in-dockerfile.yaml b/dockerfile/security/no-sudo-in-dockerfile.yaml index c42d13e6cd..5976f8c396 100644 --- a/dockerfile/security/no-sudo-in-dockerfile.yaml +++ b/dockerfile/security/no-sudo-in-dockerfile.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://cwe.mitre.org/data/definitions/250.html - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user diff --git a/dockerfile/security/secret-in-build-arg.yaml b/dockerfile/security/secret-in-build-arg.yaml index 7c24ed06e0..4adff0b7c1 100644 --- a/dockerfile/security/secret-in-build-arg.yaml +++ b/dockerfile/security/secret-in-build-arg.yaml @@ -21,6 +21,7 @@ rules: - 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/538.html - https://docs.docker.com/engine/reference/builder/#arg diff --git a/generic/bicep/security/secure-parameter-for-secrets.yaml b/generic/bicep/security/secure-parameter-for-secrets.yaml index 5954c484b2..fd8b1674f6 100644 --- a/generic/bicep/security/secure-parameter-for-secrets.yaml +++ b/generic/bicep/security/secure-parameter-for-secrets.yaml @@ -22,6 +22,7 @@ rules: - https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW diff --git a/generic/ci/security/bash-reverse-shell.yaml b/generic/ci/security/bash-reverse-shell.yaml index b1cb2dffb7..dbea5bdda0 100644 --- a/generic/ci/security/bash-reverse-shell.yaml +++ b/generic/ci/security/bash-reverse-shell.yaml @@ -9,6 +9,7 @@ rules: confidence: HIGH owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/generic/gradle/security/build-gradle-password-hardcoded.yaml b/generic/gradle/security/build-gradle-password-hardcoded.yaml index ec632bbcac..fdcab8c29c 100644 --- a/generic/gradle/security/build-gradle-password-hardcoded.yaml +++ b/generic/gradle/security/build-gradle-password-hardcoded.yaml @@ -21,6 +21,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures technology: diff --git a/generic/html-templates/security/unquoted-attribute-var.yaml b/generic/html-templates/security/unquoted-attribute-var.yaml index b39cb5254c..ac2a8b1958 100644 --- a/generic/html-templates/security/unquoted-attribute-var.yaml +++ b/generic/html-templates/security/unquoted-attribute-var.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security diff --git a/generic/html-templates/security/var-in-href.yaml b/generic/html-templates/security/var-in-href.yaml index 27ebbabe7a..742f5ba1a5 100644 --- a/generic/html-templates/security/var-in-href.yaml +++ b/generic/html-templates/security/var-in-href.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url diff --git a/generic/html-templates/security/var-in-script-src.yaml b/generic/html-templates/security/var-in-script-src.yaml index ab4c328441..467562ed78 100644 --- a/generic/html-templates/security/var-in-script-src.yaml +++ b/generic/html-templates/security/var-in-script-src.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough diff --git a/generic/html-templates/security/var-in-script-tag.yaml b/generic/html-templates/security/var-in-script-tag.yaml index 835f776266..090f9d06cf 100644 --- a/generic/html-templates/security/var-in-script-tag.yaml +++ b/generic/html-templates/security/var-in-script-tag.yaml @@ -17,6 +17,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough diff --git a/generic/nginx/security/alias-path-traversal.yaml b/generic/nginx/security/alias-path-traversal.yaml index b4fbce25d2..2430a58a53 100644 --- a/generic/nginx/security/alias-path-traversal.yaml +++ b/generic/nginx/security/alias-path-traversal.yaml @@ -37,6 +37,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/ diff --git a/generic/nginx/security/dynamic-proxy-host.yaml b/generic/nginx/security/dynamic-proxy-host.yaml index 52aebac0bc..4e27db9b93 100644 --- a/generic/nginx/security/dynamic-proxy-host.yaml +++ b/generic/nginx/security/dynamic-proxy-host.yaml @@ -26,6 +26,7 @@ rules: - "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/dynamic-proxy-scheme.yaml b/generic/nginx/security/dynamic-proxy-scheme.yaml index e484e60618..cfecdb737f 100644 --- a/generic/nginx/security/dynamic-proxy-scheme.yaml +++ b/generic/nginx/security/dynamic-proxy-scheme.yaml @@ -26,6 +26,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/header-injection.yaml b/generic/nginx/security/header-injection.yaml index dadfcaf0d5..2ff406e99e 100644 --- a/generic/nginx/security/header-injection.yaml +++ b/generic/nginx/security/header-injection.yaml @@ -32,6 +32,7 @@ rules: confidence: MEDIUM owasp: - A03:2021 - Injection + - A05:2025 - Injection subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/header-redefinition.yaml b/generic/nginx/security/header-redefinition.yaml index d1460bd003..07b0f4b353 100644 --- a/generic/nginx/security/header-redefinition.yaml +++ b/generic/nginx/security/header-redefinition.yaml @@ -40,6 +40,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/insecure-redirect.yaml b/generic/nginx/security/insecure-redirect.yaml index 061e998eef..7a9d08f340 100644 --- a/generic/nginx/security/insecure-redirect.yaml +++ b/generic/nginx/security/insecure-redirect.yaml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: diff --git a/generic/nginx/security/insecure-ssl-version.yaml b/generic/nginx/security/insecure-ssl-version.yaml index 6b8354ac01..65d48ba18e 100644 --- a/generic/nginx/security/insecure-ssl-version.yaml +++ b/generic/nginx/security/insecure-ssl-version.yaml @@ -32,6 +32,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: MEDIUM diff --git a/generic/nginx/security/missing-internal.yaml b/generic/nginx/security/missing-internal.yaml index 4dea1f7c33..3790af2270 100644 --- a/generic/nginx/security/missing-internal.yaml +++ b/generic/nginx/security/missing-internal.yaml @@ -46,6 +46,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/missing-ssl-version.yaml b/generic/nginx/security/missing-ssl-version.yaml index 50094c858f..194b1041bd 100644 --- a/generic/nginx/security/missing-ssl-version.yaml +++ b/generic/nginx/security/missing-ssl-version.yaml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/possible-h2c-smuggling.yaml b/generic/nginx/security/possible-h2c-smuggling.yaml index 1ae8448e99..d5d732793d 100644 --- a/generic/nginx/security/possible-h2c-smuggling.yaml +++ b/generic/nginx/security/possible-h2c-smuggling.yaml @@ -54,6 +54,7 @@ rules: confidence: MEDIUM owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/generic/nginx/security/request-host-used.yaml b/generic/nginx/security/request-host-used.yaml index 0eed409569..b71f299bae 100644 --- a/generic/nginx/security/request-host-used.yaml +++ b/generic/nginx/security/request-host-used.yaml @@ -29,6 +29,7 @@ rules: confidence: MEDIUM owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures subcategory: - audit likelihood: LOW diff --git a/generic/secrets/gitleaks/adafruit-api-key.yaml b/generic/secrets/gitleaks/adafruit-api-key.yaml index 7414a57e4a..e51cc452d2 100644 --- a/generic/secrets/gitleaks/adafruit-api-key.yaml +++ b/generic/secrets/gitleaks/adafruit-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/adobe-client-id.yaml b/generic/secrets/gitleaks/adobe-client-id.yaml index e5c30adf39..10b22ff546 100644 --- a/generic/secrets/gitleaks/adobe-client-id.yaml +++ b/generic/secrets/gitleaks/adobe-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/adobe-client-secret.yaml b/generic/secrets/gitleaks/adobe-client-secret.yaml index 01effd0a9e..eaf136abbe 100644 --- a/generic/secrets/gitleaks/adobe-client-secret.yaml +++ b/generic/secrets/gitleaks/adobe-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/age-secret-key.yaml b/generic/secrets/gitleaks/age-secret-key.yaml index fd32bd955a..d92ff20213 100644 --- a/generic/secrets/gitleaks/age-secret-key.yaml +++ b/generic/secrets/gitleaks/age-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/airtable-api-key.yaml b/generic/secrets/gitleaks/airtable-api-key.yaml index ffc6b5b143..be9103d8c9 100644 --- a/generic/secrets/gitleaks/airtable-api-key.yaml +++ b/generic/secrets/gitleaks/airtable-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/algolia-api-key.yaml b/generic/secrets/gitleaks/algolia-api-key.yaml index 0f0a5f0a34..d400d466d1 100644 --- a/generic/secrets/gitleaks/algolia-api-key.yaml +++ b/generic/secrets/gitleaks/algolia-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/alibaba-access-key-id.yaml b/generic/secrets/gitleaks/alibaba-access-key-id.yaml index 1d1d5cd203..de4b557412 100644 --- a/generic/secrets/gitleaks/alibaba-access-key-id.yaml +++ b/generic/secrets/gitleaks/alibaba-access-key-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/alibaba-secret-key.yaml b/generic/secrets/gitleaks/alibaba-secret-key.yaml index 595e513d91..df795e4810 100644 --- a/generic/secrets/gitleaks/alibaba-secret-key.yaml +++ b/generic/secrets/gitleaks/alibaba-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/asana-client-id.yaml b/generic/secrets/gitleaks/asana-client-id.yaml index 1f88459c0b..b5fc00351a 100644 --- a/generic/secrets/gitleaks/asana-client-id.yaml +++ b/generic/secrets/gitleaks/asana-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/asana-client-secret.yaml b/generic/secrets/gitleaks/asana-client-secret.yaml index 9bf28eb7a9..a59e0d2745 100644 --- a/generic/secrets/gitleaks/asana-client-secret.yaml +++ b/generic/secrets/gitleaks/asana-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/atlassian-api-token.yaml b/generic/secrets/gitleaks/atlassian-api-token.yaml index 1fcebb128f..5648cfe4d3 100644 --- a/generic/secrets/gitleaks/atlassian-api-token.yaml +++ b/generic/secrets/gitleaks/atlassian-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/authress-service-client-access-key.yaml b/generic/secrets/gitleaks/authress-service-client-access-key.yaml index 7ffeba74c0..1135a828ec 100644 --- a/generic/secrets/gitleaks/authress-service-client-access-key.yaml +++ b/generic/secrets/gitleaks/authress-service-client-access-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/aws-access-token.yaml b/generic/secrets/gitleaks/aws-access-token.yaml index 8fa251c7d6..972eaeb177 100644 --- a/generic/secrets/gitleaks/aws-access-token.yaml +++ b/generic/secrets/gitleaks/aws-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/beamer-api-token.yaml b/generic/secrets/gitleaks/beamer-api-token.yaml index a55bcee05d..71a998867f 100644 --- a/generic/secrets/gitleaks/beamer-api-token.yaml +++ b/generic/secrets/gitleaks/beamer-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/bitbucket-client-id.yaml b/generic/secrets/gitleaks/bitbucket-client-id.yaml index 80c036617a..c82fc76437 100644 --- a/generic/secrets/gitleaks/bitbucket-client-id.yaml +++ b/generic/secrets/gitleaks/bitbucket-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/bitbucket-client-secret.yaml b/generic/secrets/gitleaks/bitbucket-client-secret.yaml index b5ede43cda..ebc3d5d4b5 100644 --- a/generic/secrets/gitleaks/bitbucket-client-secret.yaml +++ b/generic/secrets/gitleaks/bitbucket-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/bittrex-access-key.yaml b/generic/secrets/gitleaks/bittrex-access-key.yaml index a3206ae4e9..8e5f28b927 100644 --- a/generic/secrets/gitleaks/bittrex-access-key.yaml +++ b/generic/secrets/gitleaks/bittrex-access-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/bittrex-secret-key.yaml b/generic/secrets/gitleaks/bittrex-secret-key.yaml index c87a9f164b..2840712e1f 100644 --- a/generic/secrets/gitleaks/bittrex-secret-key.yaml +++ b/generic/secrets/gitleaks/bittrex-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/clojars-api-token.yaml b/generic/secrets/gitleaks/clojars-api-token.yaml index 1bd151c065..8d9c73e591 100644 --- a/generic/secrets/gitleaks/clojars-api-token.yaml +++ b/generic/secrets/gitleaks/clojars-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/cloudflare-api-key.yaml b/generic/secrets/gitleaks/cloudflare-api-key.yaml index 33e967153a..6558f9f9e1 100644 --- a/generic/secrets/gitleaks/cloudflare-api-key.yaml +++ b/generic/secrets/gitleaks/cloudflare-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/cloudflare-global-api-key.yaml b/generic/secrets/gitleaks/cloudflare-global-api-key.yaml index 9d014dbdb8..6d83702498 100644 --- a/generic/secrets/gitleaks/cloudflare-global-api-key.yaml +++ b/generic/secrets/gitleaks/cloudflare-global-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml b/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml index adf4b23b22..2feaacfb20 100644 --- a/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml +++ b/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/codecov-access-token.yaml b/generic/secrets/gitleaks/codecov-access-token.yaml index f9515d316f..d49c8362e4 100644 --- a/generic/secrets/gitleaks/codecov-access-token.yaml +++ b/generic/secrets/gitleaks/codecov-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/coinbase-access-token.yaml b/generic/secrets/gitleaks/coinbase-access-token.yaml index 4fd9aebe89..5f8001c754 100644 --- a/generic/secrets/gitleaks/coinbase-access-token.yaml +++ b/generic/secrets/gitleaks/coinbase-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/confluent-access-token.yaml b/generic/secrets/gitleaks/confluent-access-token.yaml index bbc6ce8f49..6265437908 100644 --- a/generic/secrets/gitleaks/confluent-access-token.yaml +++ b/generic/secrets/gitleaks/confluent-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/confluent-secret-key.yaml b/generic/secrets/gitleaks/confluent-secret-key.yaml index fb7cb1f52d..d5f0f72b14 100644 --- a/generic/secrets/gitleaks/confluent-secret-key.yaml +++ b/generic/secrets/gitleaks/confluent-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/contentful-delivery-api-token.yaml b/generic/secrets/gitleaks/contentful-delivery-api-token.yaml index 8ec12ef026..7ef8851b2a 100644 --- a/generic/secrets/gitleaks/contentful-delivery-api-token.yaml +++ b/generic/secrets/gitleaks/contentful-delivery-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/databricks-api-token.yaml b/generic/secrets/gitleaks/databricks-api-token.yaml index ba1e2023de..53f050e58d 100644 --- a/generic/secrets/gitleaks/databricks-api-token.yaml +++ b/generic/secrets/gitleaks/databricks-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/datadog-access-token.yaml b/generic/secrets/gitleaks/datadog-access-token.yaml index 73a332402c..af5dc993ac 100644 --- a/generic/secrets/gitleaks/datadog-access-token.yaml +++ b/generic/secrets/gitleaks/datadog-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/defined-networking-api-token.yaml b/generic/secrets/gitleaks/defined-networking-api-token.yaml index ad67b31107..afd232a7eb 100644 --- a/generic/secrets/gitleaks/defined-networking-api-token.yaml +++ b/generic/secrets/gitleaks/defined-networking-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/digitalocean-access-token.yaml b/generic/secrets/gitleaks/digitalocean-access-token.yaml index 4d907631dc..76530b512b 100644 --- a/generic/secrets/gitleaks/digitalocean-access-token.yaml +++ b/generic/secrets/gitleaks/digitalocean-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/digitalocean-pat.yaml b/generic/secrets/gitleaks/digitalocean-pat.yaml index 48cc5bf5d3..8e34dddb55 100644 --- a/generic/secrets/gitleaks/digitalocean-pat.yaml +++ b/generic/secrets/gitleaks/digitalocean-pat.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/digitalocean-refresh-token.yaml b/generic/secrets/gitleaks/digitalocean-refresh-token.yaml index c4abd2e6d7..eee063fa98 100644 --- a/generic/secrets/gitleaks/digitalocean-refresh-token.yaml +++ b/generic/secrets/gitleaks/digitalocean-refresh-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/discord-api-token.yaml b/generic/secrets/gitleaks/discord-api-token.yaml index 10305163a1..a8a0288cba 100644 --- a/generic/secrets/gitleaks/discord-api-token.yaml +++ b/generic/secrets/gitleaks/discord-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/discord-client-id.yaml b/generic/secrets/gitleaks/discord-client-id.yaml index 2a3f34c885..c5730c3b7c 100644 --- a/generic/secrets/gitleaks/discord-client-id.yaml +++ b/generic/secrets/gitleaks/discord-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/discord-client-secret.yaml b/generic/secrets/gitleaks/discord-client-secret.yaml index 0dc0a21caf..5031cbbc72 100644 --- a/generic/secrets/gitleaks/discord-client-secret.yaml +++ b/generic/secrets/gitleaks/discord-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/doppler-api-token.yaml b/generic/secrets/gitleaks/doppler-api-token.yaml index 4fa906b50d..d93e1fa1d1 100644 --- a/generic/secrets/gitleaks/doppler-api-token.yaml +++ b/generic/secrets/gitleaks/doppler-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/droneci-access-token.yaml b/generic/secrets/gitleaks/droneci-access-token.yaml index 87b22f19f6..355ac1b43b 100644 --- a/generic/secrets/gitleaks/droneci-access-token.yaml +++ b/generic/secrets/gitleaks/droneci-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/dropbox-api-token.yaml b/generic/secrets/gitleaks/dropbox-api-token.yaml index 44e072e701..db4e51980c 100644 --- a/generic/secrets/gitleaks/dropbox-api-token.yaml +++ b/generic/secrets/gitleaks/dropbox-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml b/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml index b0edbad230..b604938b83 100644 --- a/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml +++ b/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml b/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml index e6c729aeae..f135019488 100644 --- a/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml +++ b/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/duffel-api-token.yaml b/generic/secrets/gitleaks/duffel-api-token.yaml index 93a67e4ea9..9c7c933de0 100644 --- a/generic/secrets/gitleaks/duffel-api-token.yaml +++ b/generic/secrets/gitleaks/duffel-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/dynatrace-api-token.yaml b/generic/secrets/gitleaks/dynatrace-api-token.yaml index 1b8632cd81..f1d3453ea7 100644 --- a/generic/secrets/gitleaks/dynatrace-api-token.yaml +++ b/generic/secrets/gitleaks/dynatrace-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/easypost-api-token.yaml b/generic/secrets/gitleaks/easypost-api-token.yaml index bb01dc144e..b4645dc9dc 100644 --- a/generic/secrets/gitleaks/easypost-api-token.yaml +++ b/generic/secrets/gitleaks/easypost-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/easypost-test-api-token.yaml b/generic/secrets/gitleaks/easypost-test-api-token.yaml index c62c3d8f91..7e5fd77078 100644 --- a/generic/secrets/gitleaks/easypost-test-api-token.yaml +++ b/generic/secrets/gitleaks/easypost-test-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/etsy-access-token.yaml b/generic/secrets/gitleaks/etsy-access-token.yaml index 799c2e9a2a..a0fc67b85f 100644 --- a/generic/secrets/gitleaks/etsy-access-token.yaml +++ b/generic/secrets/gitleaks/etsy-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/facebook-access-token.yaml b/generic/secrets/gitleaks/facebook-access-token.yaml index 2344c7643e..67181b8ae8 100644 --- a/generic/secrets/gitleaks/facebook-access-token.yaml +++ b/generic/secrets/gitleaks/facebook-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/facebook-page-access-token.yaml b/generic/secrets/gitleaks/facebook-page-access-token.yaml index 5e8191f515..262b1ad6ab 100644 --- a/generic/secrets/gitleaks/facebook-page-access-token.yaml +++ b/generic/secrets/gitleaks/facebook-page-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/facebook-secret.yaml b/generic/secrets/gitleaks/facebook-secret.yaml index 1d5facc02a..d6b209ac26 100644 --- a/generic/secrets/gitleaks/facebook-secret.yaml +++ b/generic/secrets/gitleaks/facebook-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/facebook.yaml b/generic/secrets/gitleaks/facebook.yaml index 321b090720..9b570c3896 100644 --- a/generic/secrets/gitleaks/facebook.yaml +++ b/generic/secrets/gitleaks/facebook.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/fastly-api-token.yaml b/generic/secrets/gitleaks/fastly-api-token.yaml index b2b539313d..3cff9ba6e5 100644 --- a/generic/secrets/gitleaks/fastly-api-token.yaml +++ b/generic/secrets/gitleaks/fastly-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/finicity-api-token.yaml b/generic/secrets/gitleaks/finicity-api-token.yaml index 57b97e251e..ebbea1a8e6 100644 --- a/generic/secrets/gitleaks/finicity-api-token.yaml +++ b/generic/secrets/gitleaks/finicity-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/finicity-client-secret.yaml b/generic/secrets/gitleaks/finicity-client-secret.yaml index 47fdf50289..3fce594162 100644 --- a/generic/secrets/gitleaks/finicity-client-secret.yaml +++ b/generic/secrets/gitleaks/finicity-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/finnhub-access-token.yaml b/generic/secrets/gitleaks/finnhub-access-token.yaml index caa2249c36..72573b5d28 100644 --- a/generic/secrets/gitleaks/finnhub-access-token.yaml +++ b/generic/secrets/gitleaks/finnhub-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/flickr-access-token.yaml b/generic/secrets/gitleaks/flickr-access-token.yaml index df72d9b46d..eec677501c 100644 --- a/generic/secrets/gitleaks/flickr-access-token.yaml +++ b/generic/secrets/gitleaks/flickr-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/flutterwave-encryption-key.yaml b/generic/secrets/gitleaks/flutterwave-encryption-key.yaml index 6f443836bd..d453e3d460 100644 --- a/generic/secrets/gitleaks/flutterwave-encryption-key.yaml +++ b/generic/secrets/gitleaks/flutterwave-encryption-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/flutterwave-public-key.yaml b/generic/secrets/gitleaks/flutterwave-public-key.yaml index 3a79099834..b69cc542e3 100644 --- a/generic/secrets/gitleaks/flutterwave-public-key.yaml +++ b/generic/secrets/gitleaks/flutterwave-public-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/flutterwave-secret-key.yaml b/generic/secrets/gitleaks/flutterwave-secret-key.yaml index cc7bd0d694..2c0ff711eb 100644 --- a/generic/secrets/gitleaks/flutterwave-secret-key.yaml +++ b/generic/secrets/gitleaks/flutterwave-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/frameio-api-token.yaml b/generic/secrets/gitleaks/frameio-api-token.yaml index 4daf4c8d92..9b77611054 100644 --- a/generic/secrets/gitleaks/frameio-api-token.yaml +++ b/generic/secrets/gitleaks/frameio-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/freshbooks-access-token.yaml b/generic/secrets/gitleaks/freshbooks-access-token.yaml index c2abe89406..7db161cc42 100644 --- a/generic/secrets/gitleaks/freshbooks-access-token.yaml +++ b/generic/secrets/gitleaks/freshbooks-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gcp-api-key.yaml b/generic/secrets/gitleaks/gcp-api-key.yaml index 6ceb4d34d1..39422c9b16 100644 --- a/generic/secrets/gitleaks/gcp-api-key.yaml +++ b/generic/secrets/gitleaks/gcp-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/generic-api-key.yaml b/generic/secrets/gitleaks/generic-api-key.yaml index f1f1631ddd..d5505677d0 100644 --- a/generic/secrets/gitleaks/generic-api-key.yaml +++ b/generic/secrets/gitleaks/generic-api-key.yaml @@ -21,6 +21,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/github-app-token.yaml b/generic/secrets/gitleaks/github-app-token.yaml index 269ba4b25a..625e7924f3 100644 --- a/generic/secrets/gitleaks/github-app-token.yaml +++ b/generic/secrets/gitleaks/github-app-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/github-fine-grained-pat.yaml b/generic/secrets/gitleaks/github-fine-grained-pat.yaml index a8557c8a48..62a6af5cc4 100644 --- a/generic/secrets/gitleaks/github-fine-grained-pat.yaml +++ b/generic/secrets/gitleaks/github-fine-grained-pat.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/github-oauth.yaml b/generic/secrets/gitleaks/github-oauth.yaml index 0d9a0b10f7..f2920c2a41 100644 --- a/generic/secrets/gitleaks/github-oauth.yaml +++ b/generic/secrets/gitleaks/github-oauth.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/github-pat.yaml b/generic/secrets/gitleaks/github-pat.yaml index c0468682a0..ad89a53391 100644 --- a/generic/secrets/gitleaks/github-pat.yaml +++ b/generic/secrets/gitleaks/github-pat.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/github-refresh-token.yaml b/generic/secrets/gitleaks/github-refresh-token.yaml index 4107387505..1575358654 100644 --- a/generic/secrets/gitleaks/github-refresh-token.yaml +++ b/generic/secrets/gitleaks/github-refresh-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gitlab-pat.yaml b/generic/secrets/gitleaks/gitlab-pat.yaml index 351a2a38fe..8e9ac7f9bb 100644 --- a/generic/secrets/gitleaks/gitlab-pat.yaml +++ b/generic/secrets/gitleaks/gitlab-pat.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gitlab-ptt.yaml b/generic/secrets/gitleaks/gitlab-ptt.yaml index d915829abe..1e92633fa2 100644 --- a/generic/secrets/gitleaks/gitlab-ptt.yaml +++ b/generic/secrets/gitleaks/gitlab-ptt.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gitlab-rrt.yaml b/generic/secrets/gitleaks/gitlab-rrt.yaml index 846100ef4a..ec137b62cd 100644 --- a/generic/secrets/gitleaks/gitlab-rrt.yaml +++ b/generic/secrets/gitleaks/gitlab-rrt.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gitter-access-token.yaml b/generic/secrets/gitleaks/gitter-access-token.yaml index 2cb158da4b..8b3b0103b8 100644 --- a/generic/secrets/gitleaks/gitter-access-token.yaml +++ b/generic/secrets/gitleaks/gitter-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/gocardless-api-token.yaml b/generic/secrets/gitleaks/gocardless-api-token.yaml index b0ed689af6..c19fafc5d9 100644 --- a/generic/secrets/gitleaks/gocardless-api-token.yaml +++ b/generic/secrets/gitleaks/gocardless-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/grafana-api-key.yaml b/generic/secrets/gitleaks/grafana-api-key.yaml index fa9978b807..d3957ec928 100644 --- a/generic/secrets/gitleaks/grafana-api-key.yaml +++ b/generic/secrets/gitleaks/grafana-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/grafana-cloud-api-token.yaml b/generic/secrets/gitleaks/grafana-cloud-api-token.yaml index a34a991cb7..dd25b8447d 100644 --- a/generic/secrets/gitleaks/grafana-cloud-api-token.yaml +++ b/generic/secrets/gitleaks/grafana-cloud-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/grafana-service-account-token.yaml b/generic/secrets/gitleaks/grafana-service-account-token.yaml index 2b8440df0a..f6d0643617 100644 --- a/generic/secrets/gitleaks/grafana-service-account-token.yaml +++ b/generic/secrets/gitleaks/grafana-service-account-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml index c668ea9573..2c45fe3194 100644 --- a/generic/secrets/gitleaks/harness-api-key.yaml +++ b/generic/secrets/gitleaks/harness-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml index 8e8e8b1e32..8ef7ed3f70 100644 --- a/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml +++ b/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/hashicorp-tf-password.yaml b/generic/secrets/gitleaks/hashicorp-tf-password.yaml index 321c03e714..57c97187a3 100644 --- a/generic/secrets/gitleaks/hashicorp-tf-password.yaml +++ b/generic/secrets/gitleaks/hashicorp-tf-password.yaml @@ -19,6 +19,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/heroku-api-key.yaml b/generic/secrets/gitleaks/heroku-api-key.yaml index d56827e78b..ba729febad 100644 --- a/generic/secrets/gitleaks/heroku-api-key.yaml +++ b/generic/secrets/gitleaks/heroku-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/hubspot-api-key.yaml b/generic/secrets/gitleaks/hubspot-api-key.yaml index f6e7d8ee93..41a89dba7d 100644 --- a/generic/secrets/gitleaks/hubspot-api-key.yaml +++ b/generic/secrets/gitleaks/hubspot-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/huggingface-access-token.yaml b/generic/secrets/gitleaks/huggingface-access-token.yaml index cf18c503b3..dd28258fa3 100644 --- a/generic/secrets/gitleaks/huggingface-access-token.yaml +++ b/generic/secrets/gitleaks/huggingface-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/huggingface-organization-api-token.yaml b/generic/secrets/gitleaks/huggingface-organization-api-token.yaml index f1d91d9073..513d7cfde7 100644 --- a/generic/secrets/gitleaks/huggingface-organization-api-token.yaml +++ b/generic/secrets/gitleaks/huggingface-organization-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/infracost-api-token.yaml b/generic/secrets/gitleaks/infracost-api-token.yaml index f5575d7734..1aba55b00d 100644 --- a/generic/secrets/gitleaks/infracost-api-token.yaml +++ b/generic/secrets/gitleaks/infracost-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/intercom-api-key.yaml b/generic/secrets/gitleaks/intercom-api-key.yaml index 3805cd60fe..1b91520bf2 100644 --- a/generic/secrets/gitleaks/intercom-api-key.yaml +++ b/generic/secrets/gitleaks/intercom-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/intra42-client-secret.yaml b/generic/secrets/gitleaks/intra42-client-secret.yaml index 08a2cc575d..5e256fbee2 100644 --- a/generic/secrets/gitleaks/intra42-client-secret.yaml +++ b/generic/secrets/gitleaks/intra42-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/jfrog-api-key.yaml b/generic/secrets/gitleaks/jfrog-api-key.yaml index 126c75fb0e..5e92cad4bc 100644 --- a/generic/secrets/gitleaks/jfrog-api-key.yaml +++ b/generic/secrets/gitleaks/jfrog-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/jfrog-identity-token.yaml b/generic/secrets/gitleaks/jfrog-identity-token.yaml index 6221dd82de..e54ea3540e 100644 --- a/generic/secrets/gitleaks/jfrog-identity-token.yaml +++ b/generic/secrets/gitleaks/jfrog-identity-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/jwt-base64.yaml b/generic/secrets/gitleaks/jwt-base64.yaml index 6dcfda8548..1f9f09a9dd 100644 --- a/generic/secrets/gitleaks/jwt-base64.yaml +++ b/generic/secrets/gitleaks/jwt-base64.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/jwt.yaml b/generic/secrets/gitleaks/jwt.yaml index 24888adaef..a78f0ae7bd 100644 --- a/generic/secrets/gitleaks/jwt.yaml +++ b/generic/secrets/gitleaks/jwt.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/kraken-access-token.yaml b/generic/secrets/gitleaks/kraken-access-token.yaml index 77747eac5e..b2ec5bec1f 100644 --- a/generic/secrets/gitleaks/kraken-access-token.yaml +++ b/generic/secrets/gitleaks/kraken-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/kucoin-access-token.yaml b/generic/secrets/gitleaks/kucoin-access-token.yaml index c7e37dc098..f83e0d88e1 100644 --- a/generic/secrets/gitleaks/kucoin-access-token.yaml +++ b/generic/secrets/gitleaks/kucoin-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/kucoin-secret-key.yaml b/generic/secrets/gitleaks/kucoin-secret-key.yaml index e46fb38c7e..77b92cf7bb 100644 --- a/generic/secrets/gitleaks/kucoin-secret-key.yaml +++ b/generic/secrets/gitleaks/kucoin-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/launchdarkly-access-token.yaml b/generic/secrets/gitleaks/launchdarkly-access-token.yaml index 744aa245dc..c2fe41ee17 100644 --- a/generic/secrets/gitleaks/launchdarkly-access-token.yaml +++ b/generic/secrets/gitleaks/launchdarkly-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/linear-api-key.yaml b/generic/secrets/gitleaks/linear-api-key.yaml index 073694c45f..cc84ee0ef1 100644 --- a/generic/secrets/gitleaks/linear-api-key.yaml +++ b/generic/secrets/gitleaks/linear-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/linear-client-secret.yaml b/generic/secrets/gitleaks/linear-client-secret.yaml index 1e81cd9250..291041e441 100644 --- a/generic/secrets/gitleaks/linear-client-secret.yaml +++ b/generic/secrets/gitleaks/linear-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/linkedin-client-id.yaml b/generic/secrets/gitleaks/linkedin-client-id.yaml index 5270d87799..b4db1ca31b 100644 --- a/generic/secrets/gitleaks/linkedin-client-id.yaml +++ b/generic/secrets/gitleaks/linkedin-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/linkedin-client-secret.yaml b/generic/secrets/gitleaks/linkedin-client-secret.yaml index 629c0ff571..175f7788f7 100644 --- a/generic/secrets/gitleaks/linkedin-client-secret.yaml +++ b/generic/secrets/gitleaks/linkedin-client-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/lob-api-key.yaml b/generic/secrets/gitleaks/lob-api-key.yaml index 39433bd009..7cc9e57135 100644 --- a/generic/secrets/gitleaks/lob-api-key.yaml +++ b/generic/secrets/gitleaks/lob-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/lob-pub-api-key.yaml b/generic/secrets/gitleaks/lob-pub-api-key.yaml index f29532b998..0173307c03 100644 --- a/generic/secrets/gitleaks/lob-pub-api-key.yaml +++ b/generic/secrets/gitleaks/lob-pub-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mailchimp-api-key.yaml b/generic/secrets/gitleaks/mailchimp-api-key.yaml index 7f2bcc15d9..0fa6cbfc3c 100644 --- a/generic/secrets/gitleaks/mailchimp-api-key.yaml +++ b/generic/secrets/gitleaks/mailchimp-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mailgun-private-api-token.yaml b/generic/secrets/gitleaks/mailgun-private-api-token.yaml index ed9906de66..b762952e06 100644 --- a/generic/secrets/gitleaks/mailgun-private-api-token.yaml +++ b/generic/secrets/gitleaks/mailgun-private-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mailgun-pub-key.yaml b/generic/secrets/gitleaks/mailgun-pub-key.yaml index a887bbdf09..c98a114cbc 100644 --- a/generic/secrets/gitleaks/mailgun-pub-key.yaml +++ b/generic/secrets/gitleaks/mailgun-pub-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mailgun-signing-key.yaml b/generic/secrets/gitleaks/mailgun-signing-key.yaml index a5731a6ca5..4f78897f06 100644 --- a/generic/secrets/gitleaks/mailgun-signing-key.yaml +++ b/generic/secrets/gitleaks/mailgun-signing-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mapbox-api-token.yaml b/generic/secrets/gitleaks/mapbox-api-token.yaml index 74a4c1c21c..953c702571 100644 --- a/generic/secrets/gitleaks/mapbox-api-token.yaml +++ b/generic/secrets/gitleaks/mapbox-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/mattermost-access-token.yaml b/generic/secrets/gitleaks/mattermost-access-token.yaml index b87cc0e61d..ae957fa2dc 100644 --- a/generic/secrets/gitleaks/mattermost-access-token.yaml +++ b/generic/secrets/gitleaks/mattermost-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/messagebird-api-token.yaml b/generic/secrets/gitleaks/messagebird-api-token.yaml index 24da45e942..34a2f5262d 100644 --- a/generic/secrets/gitleaks/messagebird-api-token.yaml +++ b/generic/secrets/gitleaks/messagebird-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/messagebird-client-id.yaml b/generic/secrets/gitleaks/messagebird-client-id.yaml index 8260ab4b02..fcdee6f01c 100644 --- a/generic/secrets/gitleaks/messagebird-client-id.yaml +++ b/generic/secrets/gitleaks/messagebird-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/microsoft-teams-webhook.yaml b/generic/secrets/gitleaks/microsoft-teams-webhook.yaml index 1a4ec87327..31b165c72a 100644 --- a/generic/secrets/gitleaks/microsoft-teams-webhook.yaml +++ b/generic/secrets/gitleaks/microsoft-teams-webhook.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/netlify-access-token.yaml b/generic/secrets/gitleaks/netlify-access-token.yaml index b6014f3a8e..64b22bbe5d 100644 --- a/generic/secrets/gitleaks/netlify-access-token.yaml +++ b/generic/secrets/gitleaks/netlify-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/new-relic-browser-api-token.yaml b/generic/secrets/gitleaks/new-relic-browser-api-token.yaml index 909e5a9ac2..0e614b0d75 100644 --- a/generic/secrets/gitleaks/new-relic-browser-api-token.yaml +++ b/generic/secrets/gitleaks/new-relic-browser-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/new-relic-insert-key.yaml b/generic/secrets/gitleaks/new-relic-insert-key.yaml index 42f411f528..5556426133 100644 --- a/generic/secrets/gitleaks/new-relic-insert-key.yaml +++ b/generic/secrets/gitleaks/new-relic-insert-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/new-relic-user-api-id.yaml b/generic/secrets/gitleaks/new-relic-user-api-id.yaml index f491b7cdec..5312a52abb 100644 --- a/generic/secrets/gitleaks/new-relic-user-api-id.yaml +++ b/generic/secrets/gitleaks/new-relic-user-api-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/new-relic-user-api-key.yaml b/generic/secrets/gitleaks/new-relic-user-api-key.yaml index ff785e97dd..ef6eb5e71a 100644 --- a/generic/secrets/gitleaks/new-relic-user-api-key.yaml +++ b/generic/secrets/gitleaks/new-relic-user-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/npm-access-token.yaml b/generic/secrets/gitleaks/npm-access-token.yaml index a26874a970..f72e07cedc 100644 --- a/generic/secrets/gitleaks/npm-access-token.yaml +++ b/generic/secrets/gitleaks/npm-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/nytimes-access-token.yaml b/generic/secrets/gitleaks/nytimes-access-token.yaml index 72ec958b6a..3a3a07aca9 100644 --- a/generic/secrets/gitleaks/nytimes-access-token.yaml +++ b/generic/secrets/gitleaks/nytimes-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/okta-access-token.yaml b/generic/secrets/gitleaks/okta-access-token.yaml index c15e82cab9..913bc5d784 100644 --- a/generic/secrets/gitleaks/okta-access-token.yaml +++ b/generic/secrets/gitleaks/okta-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/openai-api-key.yaml b/generic/secrets/gitleaks/openai-api-key.yaml index 605e39458a..4ba665a692 100644 --- a/generic/secrets/gitleaks/openai-api-key.yaml +++ b/generic/secrets/gitleaks/openai-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/plaid-api-token.yaml b/generic/secrets/gitleaks/plaid-api-token.yaml index f32ed3c1fd..0d46b00e38 100644 --- a/generic/secrets/gitleaks/plaid-api-token.yaml +++ b/generic/secrets/gitleaks/plaid-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/plaid-client-id.yaml b/generic/secrets/gitleaks/plaid-client-id.yaml index 2c5e88b588..c3f361ffff 100644 --- a/generic/secrets/gitleaks/plaid-client-id.yaml +++ b/generic/secrets/gitleaks/plaid-client-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/plaid-secret-key.yaml b/generic/secrets/gitleaks/plaid-secret-key.yaml index 20e10e6c7a..8d1780c95f 100644 --- a/generic/secrets/gitleaks/plaid-secret-key.yaml +++ b/generic/secrets/gitleaks/plaid-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/planetscale-api-token.yaml b/generic/secrets/gitleaks/planetscale-api-token.yaml index c7a497c326..4f60cc4160 100644 --- a/generic/secrets/gitleaks/planetscale-api-token.yaml +++ b/generic/secrets/gitleaks/planetscale-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/planetscale-oauth-token.yaml b/generic/secrets/gitleaks/planetscale-oauth-token.yaml index 138da665bf..8644001506 100644 --- a/generic/secrets/gitleaks/planetscale-oauth-token.yaml +++ b/generic/secrets/gitleaks/planetscale-oauth-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/planetscale-password.yaml b/generic/secrets/gitleaks/planetscale-password.yaml index a3413e1274..2316936d65 100644 --- a/generic/secrets/gitleaks/planetscale-password.yaml +++ b/generic/secrets/gitleaks/planetscale-password.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/postman-api-token.yaml b/generic/secrets/gitleaks/postman-api-token.yaml index 0cf776d1b1..0bb40f4e58 100644 --- a/generic/secrets/gitleaks/postman-api-token.yaml +++ b/generic/secrets/gitleaks/postman-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/prefect-api-token.yaml b/generic/secrets/gitleaks/prefect-api-token.yaml index 22406a07e5..458d1e8321 100644 --- a/generic/secrets/gitleaks/prefect-api-token.yaml +++ b/generic/secrets/gitleaks/prefect-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/private-key.yaml b/generic/secrets/gitleaks/private-key.yaml index 13e8f3fef4..e66128f201 100644 --- a/generic/secrets/gitleaks/private-key.yaml +++ b/generic/secrets/gitleaks/private-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/pulumi-api-token.yaml b/generic/secrets/gitleaks/pulumi-api-token.yaml index 9ea594625d..2562f6fa23 100644 --- a/generic/secrets/gitleaks/pulumi-api-token.yaml +++ b/generic/secrets/gitleaks/pulumi-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/pypi-upload-token.yaml b/generic/secrets/gitleaks/pypi-upload-token.yaml index 00e4539480..4f0713a166 100644 --- a/generic/secrets/gitleaks/pypi-upload-token.yaml +++ b/generic/secrets/gitleaks/pypi-upload-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/rapidapi-access-token.yaml b/generic/secrets/gitleaks/rapidapi-access-token.yaml index f461216a3c..768a1b096a 100644 --- a/generic/secrets/gitleaks/rapidapi-access-token.yaml +++ b/generic/secrets/gitleaks/rapidapi-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/readme-api-token.yaml b/generic/secrets/gitleaks/readme-api-token.yaml index 8007e54677..2046e2a3be 100644 --- a/generic/secrets/gitleaks/readme-api-token.yaml +++ b/generic/secrets/gitleaks/readme-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/rubygems-api-token.yaml b/generic/secrets/gitleaks/rubygems-api-token.yaml index 1ab20eb895..d75071e8f8 100644 --- a/generic/secrets/gitleaks/rubygems-api-token.yaml +++ b/generic/secrets/gitleaks/rubygems-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/scalingo-api-token.yaml b/generic/secrets/gitleaks/scalingo-api-token.yaml index c55fccb82a..1b6a800d09 100644 --- a/generic/secrets/gitleaks/scalingo-api-token.yaml +++ b/generic/secrets/gitleaks/scalingo-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sendbird-access-id.yaml b/generic/secrets/gitleaks/sendbird-access-id.yaml index 4b51ef976c..ac25e21347 100644 --- a/generic/secrets/gitleaks/sendbird-access-id.yaml +++ b/generic/secrets/gitleaks/sendbird-access-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sendbird-access-token.yaml b/generic/secrets/gitleaks/sendbird-access-token.yaml index 7a31e817a4..cecc82533c 100644 --- a/generic/secrets/gitleaks/sendbird-access-token.yaml +++ b/generic/secrets/gitleaks/sendbird-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sendgrid-api-token.yaml b/generic/secrets/gitleaks/sendgrid-api-token.yaml index 6180651e89..3505e5a527 100644 --- a/generic/secrets/gitleaks/sendgrid-api-token.yaml +++ b/generic/secrets/gitleaks/sendgrid-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sendinblue-api-token.yaml b/generic/secrets/gitleaks/sendinblue-api-token.yaml index 31647cc7de..d2fc1f6bb5 100644 --- a/generic/secrets/gitleaks/sendinblue-api-token.yaml +++ b/generic/secrets/gitleaks/sendinblue-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sentry-access-token.yaml b/generic/secrets/gitleaks/sentry-access-token.yaml index 52845ac6b5..471573adb5 100644 --- a/generic/secrets/gitleaks/sentry-access-token.yaml +++ b/generic/secrets/gitleaks/sentry-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/shippo-api-token.yaml b/generic/secrets/gitleaks/shippo-api-token.yaml index 90aacf14ea..c99b708188 100644 --- a/generic/secrets/gitleaks/shippo-api-token.yaml +++ b/generic/secrets/gitleaks/shippo-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/shopify-access-token.yaml b/generic/secrets/gitleaks/shopify-access-token.yaml index d2ef929206..4fe13108d8 100644 --- a/generic/secrets/gitleaks/shopify-access-token.yaml +++ b/generic/secrets/gitleaks/shopify-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/shopify-custom-access-token.yaml b/generic/secrets/gitleaks/shopify-custom-access-token.yaml index 3023a7e618..9286439316 100644 --- a/generic/secrets/gitleaks/shopify-custom-access-token.yaml +++ b/generic/secrets/gitleaks/shopify-custom-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/shopify-private-app-access-token.yaml b/generic/secrets/gitleaks/shopify-private-app-access-token.yaml index d455bd6879..3fb00797fb 100644 --- a/generic/secrets/gitleaks/shopify-private-app-access-token.yaml +++ b/generic/secrets/gitleaks/shopify-private-app-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/shopify-shared-secret.yaml b/generic/secrets/gitleaks/shopify-shared-secret.yaml index 3517d46adf..4d2a45c878 100644 --- a/generic/secrets/gitleaks/shopify-shared-secret.yaml +++ b/generic/secrets/gitleaks/shopify-shared-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sidekiq-secret.yaml b/generic/secrets/gitleaks/sidekiq-secret.yaml index 718177f2c3..9debf729e7 100644 --- a/generic/secrets/gitleaks/sidekiq-secret.yaml +++ b/generic/secrets/gitleaks/sidekiq-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml index 72d9b8d4e5..455338c576 100644 --- a/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml +++ b/generic/secrets/gitleaks/sidekiq-sensitive-url.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-app-token.yaml b/generic/secrets/gitleaks/slack-app-token.yaml index 51c5c8c0b8..b0b52e6374 100644 --- a/generic/secrets/gitleaks/slack-app-token.yaml +++ b/generic/secrets/gitleaks/slack-app-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-bot-token.yaml b/generic/secrets/gitleaks/slack-bot-token.yaml index 378efda059..fb269d3e08 100644 --- a/generic/secrets/gitleaks/slack-bot-token.yaml +++ b/generic/secrets/gitleaks/slack-bot-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-config-access-token.yaml b/generic/secrets/gitleaks/slack-config-access-token.yaml index 3d51c7269d..aee6a458f9 100644 --- a/generic/secrets/gitleaks/slack-config-access-token.yaml +++ b/generic/secrets/gitleaks/slack-config-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-config-refresh-token.yaml b/generic/secrets/gitleaks/slack-config-refresh-token.yaml index f76799ee1e..3edc829008 100644 --- a/generic/secrets/gitleaks/slack-config-refresh-token.yaml +++ b/generic/secrets/gitleaks/slack-config-refresh-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-legacy-bot-token.yaml b/generic/secrets/gitleaks/slack-legacy-bot-token.yaml index 262968f2cf..bb9b997a35 100644 --- a/generic/secrets/gitleaks/slack-legacy-bot-token.yaml +++ b/generic/secrets/gitleaks/slack-legacy-bot-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-legacy-token.yaml b/generic/secrets/gitleaks/slack-legacy-token.yaml index e5565a553b..6b094710ec 100644 --- a/generic/secrets/gitleaks/slack-legacy-token.yaml +++ b/generic/secrets/gitleaks/slack-legacy-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml b/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml index 334680d7e9..e2dd48c8f3 100644 --- a/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml +++ b/generic/secrets/gitleaks/slack-legacy-workspace-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-user-token.yaml b/generic/secrets/gitleaks/slack-user-token.yaml index 70c5cb0277..665e792a05 100644 --- a/generic/secrets/gitleaks/slack-user-token.yaml +++ b/generic/secrets/gitleaks/slack-user-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/slack-webhook-url.yaml b/generic/secrets/gitleaks/slack-webhook-url.yaml index a663b4270d..3efed0b9f1 100644 --- a/generic/secrets/gitleaks/slack-webhook-url.yaml +++ b/generic/secrets/gitleaks/slack-webhook-url.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/snyk-api-token.yaml b/generic/secrets/gitleaks/snyk-api-token.yaml index 71bb2e3fce..10a15b1c3d 100644 --- a/generic/secrets/gitleaks/snyk-api-token.yaml +++ b/generic/secrets/gitleaks/snyk-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/square-access-token.yaml b/generic/secrets/gitleaks/square-access-token.yaml index b5d503e5df..1c71797541 100644 --- a/generic/secrets/gitleaks/square-access-token.yaml +++ b/generic/secrets/gitleaks/square-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/squarespace-access-token.yaml b/generic/secrets/gitleaks/squarespace-access-token.yaml index 93af76cc90..8c87315cef 100644 --- a/generic/secrets/gitleaks/squarespace-access-token.yaml +++ b/generic/secrets/gitleaks/squarespace-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/stripe-access-token.yaml b/generic/secrets/gitleaks/stripe-access-token.yaml index 484c7a8093..c43413e287 100644 --- a/generic/secrets/gitleaks/stripe-access-token.yaml +++ b/generic/secrets/gitleaks/stripe-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sumologic-access-id.yaml b/generic/secrets/gitleaks/sumologic-access-id.yaml index 2a21633e6e..38e6c98cbb 100644 --- a/generic/secrets/gitleaks/sumologic-access-id.yaml +++ b/generic/secrets/gitleaks/sumologic-access-id.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/sumologic-access-token.yaml b/generic/secrets/gitleaks/sumologic-access-token.yaml index 2413409487..297645fc74 100644 --- a/generic/secrets/gitleaks/sumologic-access-token.yaml +++ b/generic/secrets/gitleaks/sumologic-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml index a9edae9d57..7caf8b55a5 100644 --- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml +++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/travisci-access-token.yaml b/generic/secrets/gitleaks/travisci-access-token.yaml index fa4baab6cc..de592b7b3a 100644 --- a/generic/secrets/gitleaks/travisci-access-token.yaml +++ b/generic/secrets/gitleaks/travisci-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twilio-api-key.yaml b/generic/secrets/gitleaks/twilio-api-key.yaml index 582846897f..abefd05bfe 100644 --- a/generic/secrets/gitleaks/twilio-api-key.yaml +++ b/generic/secrets/gitleaks/twilio-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitch-api-token.yaml b/generic/secrets/gitleaks/twitch-api-token.yaml index 5e82d0a25f..b888a5f149 100644 --- a/generic/secrets/gitleaks/twitch-api-token.yaml +++ b/generic/secrets/gitleaks/twitch-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitter-access-secret.yaml b/generic/secrets/gitleaks/twitter-access-secret.yaml index 3d938b6beb..e69db77600 100644 --- a/generic/secrets/gitleaks/twitter-access-secret.yaml +++ b/generic/secrets/gitleaks/twitter-access-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitter-access-token.yaml b/generic/secrets/gitleaks/twitter-access-token.yaml index 957e82c248..6d721e9592 100644 --- a/generic/secrets/gitleaks/twitter-access-token.yaml +++ b/generic/secrets/gitleaks/twitter-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitter-api-key.yaml b/generic/secrets/gitleaks/twitter-api-key.yaml index be0e9f5a0c..41bcbafe5f 100644 --- a/generic/secrets/gitleaks/twitter-api-key.yaml +++ b/generic/secrets/gitleaks/twitter-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitter-api-secret.yaml b/generic/secrets/gitleaks/twitter-api-secret.yaml index 1233af70d4..a0ef6a7da1 100644 --- a/generic/secrets/gitleaks/twitter-api-secret.yaml +++ b/generic/secrets/gitleaks/twitter-api-secret.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/twitter-bearer-token.yaml b/generic/secrets/gitleaks/twitter-bearer-token.yaml index 015a8efa94..f0d8c7f479 100644 --- a/generic/secrets/gitleaks/twitter-bearer-token.yaml +++ b/generic/secrets/gitleaks/twitter-bearer-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/typeform-api-token.yaml b/generic/secrets/gitleaks/typeform-api-token.yaml index d90efbf17e..4560da5a90 100644 --- a/generic/secrets/gitleaks/typeform-api-token.yaml +++ b/generic/secrets/gitleaks/typeform-api-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/vault-batch-token.yaml b/generic/secrets/gitleaks/vault-batch-token.yaml index 5ab63bf906..8260a5b8f3 100644 --- a/generic/secrets/gitleaks/vault-batch-token.yaml +++ b/generic/secrets/gitleaks/vault-batch-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/vault-service-token.yaml b/generic/secrets/gitleaks/vault-service-token.yaml index 87e757131c..ca419bcd8d 100644 --- a/generic/secrets/gitleaks/vault-service-token.yaml +++ b/generic/secrets/gitleaks/vault-service-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/yandex-access-token.yaml b/generic/secrets/gitleaks/yandex-access-token.yaml index e004bb9231..3e4c387fea 100644 --- a/generic/secrets/gitleaks/yandex-access-token.yaml +++ b/generic/secrets/gitleaks/yandex-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/yandex-api-key.yaml b/generic/secrets/gitleaks/yandex-api-key.yaml index 7998737c47..03648aea96 100644 --- a/generic/secrets/gitleaks/yandex-api-key.yaml +++ b/generic/secrets/gitleaks/yandex-api-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/yandex-aws-access-token.yaml b/generic/secrets/gitleaks/yandex-aws-access-token.yaml index f0e160e2ac..e20ca43757 100644 --- a/generic/secrets/gitleaks/yandex-aws-access-token.yaml +++ b/generic/secrets/gitleaks/yandex-aws-access-token.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/gitleaks/zendesk-secret-key.yaml b/generic/secrets/gitleaks/zendesk-secret-key.yaml index 9e2f3440ce..4e03635daf 100644 --- a/generic/secrets/gitleaks/zendesk-secret-key.yaml +++ b/generic/secrets/gitleaks/zendesk-secret-key.yaml @@ -15,6 +15,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules diff --git a/generic/secrets/security/detected-amazon-mws-auth-token.yaml b/generic/secrets/security/detected-amazon-mws-auth-token.yaml index ff19d6b59f..7f89cdc60f 100644 --- a/generic/secrets/security/detected-amazon-mws-auth-token.yaml +++ b/generic/secrets/security/detected-amazon-mws-auth-token.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-artifactory-password.yaml b/generic/secrets/security/detected-artifactory-password.yaml index a414707c51..5b1556fce7 100644 --- a/generic/secrets/security/detected-artifactory-password.yaml +++ b/generic/secrets/security/detected-artifactory-password.yaml @@ -36,6 +36,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-artifactory-token.yaml b/generic/secrets/security/detected-artifactory-token.yaml index a25df456ad..1acf5e673d 100644 --- a/generic/secrets/security/detected-artifactory-token.yaml +++ b/generic/secrets/security/detected-artifactory-token.yaml @@ -32,6 +32,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-aws-access-key-id-value.yaml b/generic/secrets/security/detected-aws-access-key-id-value.yaml index 1553b5d872..682d17c132 100644 --- a/generic/secrets/security/detected-aws-access-key-id-value.yaml +++ b/generic/secrets/security/detected-aws-access-key-id-value.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-aws-account-id.yaml b/generic/secrets/security/detected-aws-account-id.yaml index d85f600c06..26249e4016 100644 --- a/generic/secrets/security/detected-aws-account-id.yaml +++ b/generic/secrets/security/detected-aws-account-id.yaml @@ -47,6 +47,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-aws-appsync-graphql-key.yaml b/generic/secrets/security/detected-aws-appsync-graphql-key.yaml index a2493e1485..3ac3189f5d 100644 --- a/generic/secrets/security/detected-aws-appsync-graphql-key.yaml +++ b/generic/secrets/security/detected-aws-appsync-graphql-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-aws-secret-access-key.yaml b/generic/secrets/security/detected-aws-secret-access-key.yaml index 4165b9843b..175c2f88f4 100644 --- a/generic/secrets/security/detected-aws-secret-access-key.yaml +++ b/generic/secrets/security/detected-aws-secret-access-key.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-aws-session-token.yaml b/generic/secrets/security/detected-aws-session-token.yaml index ca25daf364..0b6ee9e62f 100644 --- a/generic/secrets/security/detected-aws-session-token.yaml +++ b/generic/secrets/security/detected-aws-session-token.yaml @@ -20,6 +20,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-bcrypt-hash.yaml b/generic/secrets/security/detected-bcrypt-hash.yaml index 86217ba4c4..43512f9e35 100644 --- a/generic/secrets/security/detected-bcrypt-hash.yaml +++ b/generic/secrets/security/detected-bcrypt-hash.yaml @@ -14,6 +14,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-codeclimate.yaml b/generic/secrets/security/detected-codeclimate.yaml index 5477456023..45461a9fa7 100644 --- a/generic/secrets/security/detected-codeclimate.yaml +++ b/generic/secrets/security/detected-codeclimate.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-etc-shadow.yaml b/generic/secrets/security/detected-etc-shadow.yaml index db48648a91..969725d4ef 100644 --- a/generic/secrets/security/detected-etc-shadow.yaml +++ b/generic/secrets/security/detected-etc-shadow.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-facebook-access-token.yaml b/generic/secrets/security/detected-facebook-access-token.yaml index 1fa50ad663..3ec5f59981 100644 --- a/generic/secrets/security/detected-facebook-access-token.yaml +++ b/generic/secrets/security/detected-facebook-access-token.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-facebook-oauth.yaml b/generic/secrets/security/detected-facebook-oauth.yaml index 3acbf48998..318099b289 100644 --- a/generic/secrets/security/detected-facebook-oauth.yaml +++ b/generic/secrets/security/detected-facebook-oauth.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-generic-api-key.yaml b/generic/secrets/security/detected-generic-api-key.yaml index feea76fb46..a966da7368 100644 --- a/generic/secrets/security/detected-generic-api-key.yaml +++ b/generic/secrets/security/detected-generic-api-key.yaml @@ -18,6 +18,7 @@ rules: - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2022-top25: true diff --git a/generic/secrets/security/detected-generic-secret.yaml b/generic/secrets/security/detected-generic-secret.yaml index 31d1986e2d..f3362a8b91 100644 --- a/generic/secrets/security/detected-generic-secret.yaml +++ b/generic/secrets/security/detected-generic-secret.yaml @@ -19,6 +19,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-github-token.yaml b/generic/secrets/security/detected-github-token.yaml index de4d5e33af..2775af36f3 100644 --- a/generic/secrets/security/detected-github-token.yaml +++ b/generic/secrets/security/detected-github-token.yaml @@ -36,6 +36,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-google-api-key.yaml b/generic/secrets/security/detected-google-api-key.yaml index 9a146612bd..e8625c6cef 100644 --- a/generic/secrets/security/detected-google-api-key.yaml +++ b/generic/secrets/security/detected-google-api-key.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-google-cloud-api-key.yaml b/generic/secrets/security/detected-google-cloud-api-key.yaml index eaca4db001..61b3d043a6 100644 --- a/generic/secrets/security/detected-google-cloud-api-key.yaml +++ b/generic/secrets/security/detected-google-cloud-api-key.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-google-gcm-service-account.yaml b/generic/secrets/security/detected-google-gcm-service-account.yaml index 81144c3c2f..1c0cba6d38 100644 --- a/generic/secrets/security/detected-google-gcm-service-account.yaml +++ b/generic/secrets/security/detected-google-gcm-service-account.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-google-oauth-access-token.yaml b/generic/secrets/security/detected-google-oauth-access-token.yaml index 842e9bddd7..ef6076e169 100644 --- a/generic/secrets/security/detected-google-oauth-access-token.yaml +++ b/generic/secrets/security/detected-google-oauth-access-token.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-google-oauth.yaml b/generic/secrets/security/detected-google-oauth.yaml index a21e625406..bcca94e9ed 100644 --- a/generic/secrets/security/detected-google-oauth.yaml +++ b/generic/secrets/security/detected-google-oauth.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-heroku-api-key.yaml b/generic/secrets/security/detected-heroku-api-key.yaml index 5068567049..da179add37 100644 --- a/generic/secrets/security/detected-heroku-api-key.yaml +++ b/generic/secrets/security/detected-heroku-api-key.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-hockeyapp.yaml b/generic/secrets/security/detected-hockeyapp.yaml index f46ec55a79..9e1e3de41b 100644 --- a/generic/secrets/security/detected-hockeyapp.yaml +++ b/generic/secrets/security/detected-hockeyapp.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-jwt-token.yaml b/generic/secrets/security/detected-jwt-token.yaml index d825c55c2a..efc42d503f 100644 --- a/generic/secrets/security/detected-jwt-token.yaml +++ b/generic/secrets/security/detected-jwt-token.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-321: Use of Hard-coded Cryptographic Key' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/generic/secrets/security/detected-kolide-api-key.yaml b/generic/secrets/security/detected-kolide-api-key.yaml index a59821f776..fff69fb1bc 100644 --- a/generic/secrets/security/detected-kolide-api-key.yaml +++ b/generic/secrets/security/detected-kolide-api-key.yaml @@ -14,6 +14,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-mailchimp-api-key.yaml b/generic/secrets/security/detected-mailchimp-api-key.yaml index 8ab3a2ec3b..d24926228c 100644 --- a/generic/secrets/security/detected-mailchimp-api-key.yaml +++ b/generic/secrets/security/detected-mailchimp-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-mailgun-api-key.yaml b/generic/secrets/security/detected-mailgun-api-key.yaml index e25defe850..d30d6f0c16 100644 --- a/generic/secrets/security/detected-mailgun-api-key.yaml +++ b/generic/secrets/security/detected-mailgun-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-npm-registry-auth-token.yaml b/generic/secrets/security/detected-npm-registry-auth-token.yaml index 2fc1a75747..4a17c444ca 100644 --- a/generic/secrets/security/detected-npm-registry-auth-token.yaml +++ b/generic/secrets/security/detected-npm-registry-auth-token.yaml @@ -22,6 +22,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-outlook-team.yaml b/generic/secrets/security/detected-outlook-team.yaml index 91f3b3619d..89ad755153 100644 --- a/generic/secrets/security/detected-outlook-team.yaml +++ b/generic/secrets/security/detected-outlook-team.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-paypal-braintree-access-token.yaml b/generic/secrets/security/detected-paypal-braintree-access-token.yaml index 396300e4be..b42cd1e60d 100644 --- a/generic/secrets/security/detected-paypal-braintree-access-token.yaml +++ b/generic/secrets/security/detected-paypal-braintree-access-token.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-pgp-private-key-block.yaml b/generic/secrets/security/detected-pgp-private-key-block.yaml index 6c1b79601e..aea83668bd 100644 --- a/generic/secrets/security/detected-pgp-private-key-block.yaml +++ b/generic/secrets/security/detected-pgp-private-key-block.yaml @@ -17,6 +17,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-picatic-api-key.yaml b/generic/secrets/security/detected-picatic-api-key.yaml index 18909cce23..074658e70d 100644 --- a/generic/secrets/security/detected-picatic-api-key.yaml +++ b/generic/secrets/security/detected-picatic-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-private-key.yaml b/generic/secrets/security/detected-private-key.yaml index 37eb6cf422..48fa9f6e28 100644 --- a/generic/secrets/security/detected-private-key.yaml +++ b/generic/secrets/security/detected-private-key.yaml @@ -28,6 +28,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-sauce-token.yaml b/generic/secrets/security/detected-sauce-token.yaml index 1b56aaf54e..6266ca0488 100644 --- a/generic/secrets/security/detected-sauce-token.yaml +++ b/generic/secrets/security/detected-sauce-token.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-sendgrid-api-key.yaml b/generic/secrets/security/detected-sendgrid-api-key.yaml index 22638a0062..e04631a942 100644 --- a/generic/secrets/security/detected-sendgrid-api-key.yaml +++ b/generic/secrets/security/detected-sendgrid-api-key.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-slack-token.yaml b/generic/secrets/security/detected-slack-token.yaml index 03660d1549..6024948856 100644 --- a/generic/secrets/security/detected-slack-token.yaml +++ b/generic/secrets/security/detected-slack-token.yaml @@ -19,6 +19,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/generic/secrets/security/detected-slack-webhook.yaml b/generic/secrets/security/detected-slack-webhook.yaml index 0f35a67a06..d25a78a1ff 100644 --- a/generic/secrets/security/detected-slack-webhook.yaml +++ b/generic/secrets/security/detected-slack-webhook.yaml @@ -17,6 +17,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2022-top25: true diff --git a/generic/secrets/security/detected-snyk-api-key.yaml b/generic/secrets/security/detected-snyk-api-key.yaml index 3b178b5294..baeb26e1ea 100644 --- a/generic/secrets/security/detected-snyk-api-key.yaml +++ b/generic/secrets/security/detected-snyk-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-softlayer-api-key.yaml b/generic/secrets/security/detected-softlayer-api-key.yaml index 9926854383..e932c19409 100644 --- a/generic/secrets/security/detected-softlayer-api-key.yaml +++ b/generic/secrets/security/detected-softlayer-api-key.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-sonarqube-docs-api-key.yaml b/generic/secrets/security/detected-sonarqube-docs-api-key.yaml index eca483c0c0..d556634db0 100644 --- a/generic/secrets/security/detected-sonarqube-docs-api-key.yaml +++ b/generic/secrets/security/detected-sonarqube-docs-api-key.yaml @@ -29,6 +29,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-square-access-token.yaml b/generic/secrets/security/detected-square-access-token.yaml index b8ce459181..3a37c70e19 100644 --- a/generic/secrets/security/detected-square-access-token.yaml +++ b/generic/secrets/security/detected-square-access-token.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-square-oauth-secret.yaml b/generic/secrets/security/detected-square-oauth-secret.yaml index 287b982f58..8bcb7be375 100644 --- a/generic/secrets/security/detected-square-oauth-secret.yaml +++ b/generic/secrets/security/detected-square-oauth-secret.yaml @@ -18,6 +18,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/generic/secrets/security/detected-ssh-password.yaml b/generic/secrets/security/detected-ssh-password.yaml index 6b1aab335b..b3f4f34587 100644 --- a/generic/secrets/security/detected-ssh-password.yaml +++ b/generic/secrets/security/detected-ssh-password.yaml @@ -16,6 +16,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-stripe-api-key.yaml b/generic/secrets/security/detected-stripe-api-key.yaml index c15284d59a..d1fb45e4b4 100644 --- a/generic/secrets/security/detected-stripe-api-key.yaml +++ b/generic/secrets/security/detected-stripe-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-stripe-restricted-api-key.yaml b/generic/secrets/security/detected-stripe-restricted-api-key.yaml index 7c90137105..54cd3fc768 100644 --- a/generic/secrets/security/detected-stripe-restricted-api-key.yaml +++ b/generic/secrets/security/detected-stripe-restricted-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: MEDIUM owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-telegram-bot-api-key.yaml b/generic/secrets/security/detected-telegram-bot-api-key.yaml index 1d4ffeb9b1..f8e8272a38 100644 --- a/generic/secrets/security/detected-telegram-bot-api-key.yaml +++ b/generic/secrets/security/detected-telegram-bot-api-key.yaml @@ -19,6 +19,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-twilio-api-key.yaml b/generic/secrets/security/detected-twilio-api-key.yaml index e29e588157..ea23537221 100644 --- a/generic/secrets/security/detected-twilio-api-key.yaml +++ b/generic/secrets/security/detected-twilio-api-key.yaml @@ -15,6 +15,7 @@ rules: confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/generic/secrets/security/detected-username-and-password-in-uri.yaml b/generic/secrets/security/detected-username-and-password-in-uri.yaml index 88008b554e..7ce5de70d3 100644 --- a/generic/secrets/security/detected-username-and-password-in-uri.yaml +++ b/generic/secrets/security/detected-username-and-password-in-uri.yaml @@ -18,6 +18,7 @@ rules: metadata: owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-798: Use of Hard-coded Credentials' references: diff --git a/generic/unicode/security/bidi.yml b/generic/unicode/security/bidi.yml index fd9fb28e31..ecd5eb80a4 100644 --- a/generic/unicode/security/bidi.yml +++ b/generic/unicode/security/bidi.yml @@ -30,6 +30,7 @@ rules: confidence: LOW owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/generic/visualforce/security/ncino/html/UseSRIForCDNs.yaml b/generic/visualforce/security/ncino/html/UseSRIForCDNs.yaml index 8276a48050..0344c647c3 100644 --- a/generic/visualforce/security/ncino/html/UseSRIForCDNs.yaml +++ b/generic/visualforce/security/ncino/html/UseSRIForCDNs.yaml @@ -17,6 +17,7 @@ rules: - 'CWE-346: Origin Validation Error' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2020-top25': true cwe2021-top25': true cwe2022-top25': true diff --git a/generic/visualforce/security/ncino/vf/XSSFromUnescapedURLParam.yaml b/generic/visualforce/security/ncino/vf/XSSFromUnescapedURLParam.yaml index 529b73921e..5fad4c6f8a 100644 --- a/generic/visualforce/security/ncino/vf/XSSFromUnescapedURLParam.yaml +++ b/generic/visualforce/security/ncino/vf/XSSFromUnescapedURLParam.yaml @@ -20,6 +20,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm category: security diff --git a/generic/visualforce/security/ncino/xml/CSPHeaderAttribute.yaml b/generic/visualforce/security/ncino/xml/CSPHeaderAttribute.yaml index edcd02bf81..3473635fbe 100644 --- a/generic/visualforce/security/ncino/xml/CSPHeaderAttribute.yaml +++ b/generic/visualforce/security/ncino/xml/CSPHeaderAttribute.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5 category: security diff --git a/generic/visualforce/security/ncino/xml/VisualForceAPIVersion.yaml b/generic/visualforce/security/ncino/xml/VisualForceAPIVersion.yaml index 732e730237..31f08f9db5 100644 --- a/generic/visualforce/security/ncino/xml/VisualForceAPIVersion.yaml +++ b/generic/visualforce/security/ncino/xml/VisualForceAPIVersion.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm category: security diff --git a/go/aws-lambda/security/database-sqli.yaml b/go/aws-lambda/security/database-sqli.yaml index 4107a43ab2..ec2d551540 100644 --- a/go/aws-lambda/security/database-sqli.yaml +++ b/go/aws-lambda/security/database-sqli.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/go/aws-lambda/security/tainted-sql-string.yaml b/go/aws-lambda/security/tainted-sql-string.yaml index 6f82122a4c..7029d518c2 100644 --- a/go/aws-lambda/security/tainted-sql-string.yaml +++ b/go/aws-lambda/security/tainted-sql-string.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/go/gorilla/security/audit/session-cookie-missing-httponly.yaml b/go/gorilla/security/audit/session-cookie-missing-httponly.yaml index be9df5e6dc..c29b43b9d4 100644 --- a/go/gorilla/security/audit/session-cookie-missing-httponly.yaml +++ b/go/gorilla/security/audit/session-cookie-missing-httponly.yaml @@ -22,6 +22,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69 category: security diff --git a/go/gorilla/security/audit/session-cookie-missing-secure.yaml b/go/gorilla/security/audit/session-cookie-missing-secure.yaml index c696e563eb..204956c3a0 100644 --- a/go/gorilla/security/audit/session-cookie-missing-secure.yaml +++ b/go/gorilla/security/audit/session-cookie-missing-secure.yaml @@ -21,6 +21,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69 category: security diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.yaml b/go/gorilla/security/audit/session-cookie-samesitenone.yaml index bcec859903..fc6aa8682d 100644 --- a/go/gorilla/security/audit/session-cookie-samesitenone.yaml +++ b/go/gorilla/security/audit/session-cookie-samesitenone.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://pkg.go.dev/github.com/gorilla/sessions#Options category: security diff --git a/go/gorilla/security/audit/websocket-missing-origin-check.yaml b/go/gorilla/security/audit/websocket-missing-origin-check.yaml index 73a3d0a7bb..cd1aaad5c9 100644 --- a/go/gorilla/security/audit/websocket-missing-origin-check.yaml +++ b/go/gorilla/security/audit/websocket-missing-origin-check.yaml @@ -26,6 +26,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://pkg.go.dev/github.com/gorilla/websocket#Upgrader technology: diff --git a/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml b/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml index 2dbf73f62d..a6b4a974fc 100644 --- a/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml +++ b/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml @@ -56,6 +56,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://gorm.io/docs/security.html#SQL-injection-Methods - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html diff --git a/go/grpc/security/grpc-client-insecure-connection.yaml b/go/grpc/security/grpc-client-insecure-connection.yaml index 9c4530067b..ce5bad62b6 100644 --- a/go/grpc/security/grpc-client-insecure-connection.yaml +++ b/go/grpc/security/grpc-client-insecure-connection.yaml @@ -11,6 +11,7 @@ rules: confidence: HIGH owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures subcategory: - audit likelihood: LOW diff --git a/go/grpc/security/grpc-server-insecure-connection.yaml b/go/grpc/security/grpc-server-insecure-connection.yaml index c5d6c3e759..7afc27eb15 100644 --- a/go/grpc/security/grpc-server-insecure-connection.yaml +++ b/go/grpc/security/grpc-server-insecure-connection.yaml @@ -11,6 +11,7 @@ rules: confidence: HIGH owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures subcategory: - audit likelihood: LOW diff --git a/go/jwt-go/security/audit/jwt-parse-unverified.yaml b/go/jwt-go/security/audit/jwt-parse-unverified.yaml index 5916496eed..7f85d98d63 100644 --- a/go/jwt-go/security/audit/jwt-parse-unverified.yaml +++ b/go/jwt-go/security/audit/jwt-parse-unverified.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/go/jwt-go/security/jwt-none-alg.yaml b/go/jwt-go/security/jwt-none-alg.yaml index f99e91dd23..769d62566a 100644 --- a/go/jwt-go/security/jwt-none-alg.yaml +++ b/go/jwt-go/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/go/jwt-go/security/jwt.yaml b/go/jwt-go/security/jwt.yaml index 261316b788..18711d3b79 100644 --- a/go/jwt-go/security/jwt.yaml +++ b/go/jwt-go/security/jwt.yaml @@ -15,6 +15,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - jwt diff --git a/go/lang/security/audit/crypto/bad_imports.yaml b/go/lang/security/audit/crypto/bad_imports.yaml index 59cfdc2106..6187c21f7e 100644 --- a/go/lang/security/audit/crypto/bad_imports.yaml +++ b/go/lang/security/audit/crypto/bad_imports.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://github.com/securego/gosec diff --git a/go/lang/security/audit/crypto/insecure_ssh.yaml b/go/lang/security/audit/crypto/insecure_ssh.yaml index 206b47475a..c0cf8865fa 100644 --- a/go/lang/security/audit/crypto/insecure_ssh.yaml +++ b/go/lang/security/audit/crypto/insecure_ssh.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-322: Key Exchange without Entity Authentication' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec references: - https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ diff --git a/go/lang/security/audit/crypto/math_random.yaml b/go/lang/security/audit/crypto/math_random.yaml index feef38161b..88fa1ed3a7 100644 --- a/go/lang/security/audit/crypto/math_random.yaml +++ b/go/lang/security/audit/crypto/math_random.yaml @@ -5,6 +5,7 @@ rules: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation category: security diff --git a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml index 8ed4064bd4..d3b6ed4687 100644 --- a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml +++ b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go references: - https://go.dev/doc/go1.22#minor_library_changes diff --git a/go/lang/security/audit/crypto/sha224-hash.yaml b/go/lang/security/audit/crypto/sha224-hash.yaml index 8fe39e0580..9a18ac43d1 100644 --- a/go/lang/security/audit/crypto/sha224-hash.yaml +++ b/go/lang/security/audit/crypto/sha224-hash.yaml @@ -29,6 +29,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' category: security diff --git a/go/lang/security/audit/crypto/ssl.yaml b/go/lang/security/audit/crypto/ssl.yaml index 330a34b975..161c71c966 100644 --- a/go/lang/security/audit/crypto/ssl.yaml +++ b/go/lang/security/audit/crypto/ssl.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go references: - https://golang.org/doc/go1.14#crypto/tls diff --git a/go/lang/security/audit/crypto/tls.yaml b/go/lang/security/audit/crypto/tls.yaml index c02dad3fdd..19a2d2cd24 100644 --- a/go/lang/security/audit/crypto/tls.yaml +++ b/go/lang/security/audit/crypto/tls.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls.go references: - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites diff --git a/go/lang/security/audit/crypto/use_of_weak_crypto.yaml b/go/lang/security/audit/crypto/use_of_weak_crypto.yaml index 3c8e6175cd..cf02f9d6d6 100644 --- a/go/lang/security/audit/crypto/use_of_weak_crypto.yaml +++ b/go/lang/security/audit/crypto/use_of_weak_crypto.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules @@ -43,6 +44,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules @@ -75,6 +77,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://github.com/securego/gosec#available-rules @@ -107,6 +110,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://github.com/securego/gosec#available-rules diff --git a/go/lang/security/audit/crypto/use_of_weak_rsa_key.yaml b/go/lang/security/audit/crypto/use_of_weak_rsa_key.yaml index 8a35aa7bd7..e0ded19ed1 100644 --- a/go/lang/security/audit/crypto/use_of_weak_rsa_key.yaml +++ b/go/lang/security/audit/crypto/use_of_weak_rsa_key.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/rsa.go references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms diff --git a/go/lang/security/audit/dangerous-command-write.yaml b/go/lang/security/audit/dangerous-command-write.yaml index fc1b72a59f..508599926b 100644 --- a/go/lang/security/audit/dangerous-command-write.yaml +++ b/go/lang/security/audit/dangerous-command-write.yaml @@ -38,6 +38,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/go/lang/security/audit/dangerous-exec-cmd.yaml b/go/lang/security/audit/dangerous-exec-cmd.yaml index 18309121cc..57af796eee 100644 --- a/go/lang/security/audit/dangerous-exec-cmd.yaml +++ b/go/lang/security/audit/dangerous-exec-cmd.yaml @@ -70,6 +70,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/audit/dangerous-exec-command.yaml b/go/lang/security/audit/dangerous-exec-command.yaml index 306302932a..1e1a3ad384 100644 --- a/go/lang/security/audit/dangerous-exec-command.yaml +++ b/go/lang/security/audit/dangerous-exec-command.yaml @@ -46,6 +46,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/audit/dangerous-syscall-exec.yaml b/go/lang/security/audit/dangerous-syscall-exec.yaml index 1a66818bed..f54745d34d 100644 --- a/go/lang/security/audit/dangerous-syscall-exec.yaml +++ b/go/lang/security/audit/dangerous-syscall-exec.yaml @@ -82,6 +82,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 7aeb388a60..041ee7bc6f 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" source-rule-url: https://github.com/securego/gosec diff --git a/go/lang/security/audit/md5-used-as-password.yaml b/go/lang/security/audit/md5-used-as-password.yaml index b2d42f92a9..1e386f8350 100644 --- a/go/lang/security/audit/md5-used-as-password.yaml +++ b/go/lang/security/audit/md5-used-as-password.yaml @@ -21,6 +21,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' confidence: MEDIUM diff --git a/go/lang/security/audit/net/bind_all.yaml b/go/lang/security/audit/net/bind_all.yaml index 967ffb5dc4..f298e8e2de 100644 --- a/go/lang/security/audit/net/bind_all.yaml +++ b/go/lang/security/audit/net/bind_all.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/securego/gosec category: security technology: diff --git a/go/lang/security/audit/net/cookie-missing-httponly.yaml b/go/lang/security/audit/net/cookie-missing-httponly.yaml index 64f045c2af..871a512789 100644 --- a/go/lang/security/audit/net/cookie-missing-httponly.yaml +++ b/go/lang/security/audit/net/cookie-missing-httponly.yaml @@ -22,6 +22,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go - https://golang.org/src/net/http/cookie.go diff --git a/go/lang/security/audit/net/cookie-missing-secure.yaml b/go/lang/security/audit/net/cookie-missing-secure.yaml index 88d58eca18..8e712dbdf6 100644 --- a/go/lang/security/audit/net/cookie-missing-secure.yaml +++ b/go/lang/security/audit/net/cookie-missing-secure.yaml @@ -21,6 +21,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go - https://golang.org/src/net/http/cookie.go diff --git a/go/lang/security/audit/net/dynamic-httptrace-clienttrace.yaml b/go/lang/security/audit/net/dynamic-httptrace-clienttrace.yaml index 369012864c..94a458dc70 100644 --- a/go/lang/security/audit/net/dynamic-httptrace-clienttrace.yaml +++ b/go/lang/security/audit/net/dynamic-httptrace-clienttrace.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://github.com/returntocorp/semgrep-rules/issues/518 # Detects when a static ClientTrace is not defined in the same file as diff --git a/go/lang/security/audit/net/formatted-template-string.yaml b/go/lang/security/audit/net/formatted-template-string.yaml index 1a804a245d..edd8555375 100644 --- a/go/lang/security/audit/net/formatted-template-string.yaml +++ b/go/lang/security/audit/net/formatted-template-string.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTML category: security diff --git a/go/lang/security/audit/net/fs-directory-listing.yaml b/go/lang/security/audit/net/fs-directory-listing.yaml index 8cd4e68a60..43222e1169 100644 --- a/go/lang/security/audit/net/fs-directory-listing.yaml +++ b/go/lang/security/audit/net/fs-directory-listing.yaml @@ -36,6 +36,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://github.com/OWASP/Go-SCP - https://cwe.mitre.org/data/definitions/548.html diff --git a/go/lang/security/audit/net/unescaped-data-in-htmlattr.yaml b/go/lang/security/audit/net/unescaped-data-in-htmlattr.yaml index bb87d08987..a0d90ee475 100644 --- a/go/lang/security/audit/net/unescaped-data-in-htmlattr.yaml +++ b/go/lang/security/audit/net/unescaped-data-in-htmlattr.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTMLAttr category: security diff --git a/go/lang/security/audit/net/unescaped-data-in-js.yaml b/go/lang/security/audit/net/unescaped-data-in-js.yaml index ff130a11a9..b33924abda 100644 --- a/go/lang/security/audit/net/unescaped-data-in-js.yaml +++ b/go/lang/security/audit/net/unescaped-data-in-js.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#JS category: security diff --git a/go/lang/security/audit/net/unescaped-data-in-url.yaml b/go/lang/security/audit/net/unescaped-data-in-url.yaml index c88dd42bc2..7761db6d86 100644 --- a/go/lang/security/audit/net/unescaped-data-in-url.yaml +++ b/go/lang/security/audit/net/unescaped-data-in-url.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#URL category: security diff --git a/go/lang/security/audit/net/use-tls.yaml b/go/lang/security/audit/net/use-tls.yaml index 902b27c4d3..4f1738a36e 100644 --- a/go/lang/security/audit/net/use-tls.yaml +++ b/go/lang/security/audit/net/use-tls.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://golang.org/pkg/net/http/#ListenAndServeTLS category: security diff --git a/go/lang/security/audit/net/wip-xss-using-responsewriter-and-printf.yaml b/go/lang/security/audit/net/wip-xss-using-responsewriter-and-printf.yaml index 6d9b3b0657..2144ac4a07 100644 --- a/go/lang/security/audit/net/wip-xss-using-responsewriter-and-printf.yaml +++ b/go/lang/security/audit/net/wip-xss-using-responsewriter-and-printf.yaml @@ -55,6 +55,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/audit/reflect-makefunc.yaml b/go/lang/security/audit/reflect-makefunc.yaml index 0200a48596..5a2143af3c 100644 --- a/go/lang/security/audit/reflect-makefunc.yaml +++ b/go/lang/security/audit/reflect-makefunc.yaml @@ -8,6 +8,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' category: security diff --git a/go/lang/security/audit/sqli/gosql-sqli.yaml b/go/lang/security/audit/sqli/gosql-sqli.yaml index fee58cbe99..101e8c0b21 100644 --- a/go/lang/security/audit/sqli/gosql-sqli.yaml +++ b/go/lang/security/audit/sqli/gosql-sqli.yaml @@ -54,6 +54,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/go/lang/security/audit/sqli/pg-orm-sqli.yaml b/go/lang/security/audit/sqli/pg-orm-sqli.yaml index 04a4da6b51..6ccb142397 100644 --- a/go/lang/security/audit/sqli/pg-orm-sqli.yaml +++ b/go/lang/security/audit/sqli/pg-orm-sqli.yaml @@ -78,6 +78,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/go/lang/security/audit/sqli/pg-sqli.yaml b/go/lang/security/audit/sqli/pg-sqli.yaml index 8594696e08..04cf9c0e95 100644 --- a/go/lang/security/audit/sqli/pg-sqli.yaml +++ b/go/lang/security/audit/sqli/pg-sqli.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/go/lang/security/audit/sqli/pgx-sqli.yaml b/go/lang/security/audit/sqli/pgx-sqli.yaml index 3d625682a1..4e5091a207 100644 --- a/go/lang/security/audit/sqli/pgx-sqli.yaml +++ b/go/lang/security/audit/sqli/pgx-sqli.yaml @@ -21,6 +21,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/go/lang/security/audit/unsafe-reflect-by-name.yaml b/go/lang/security/audit/unsafe-reflect-by-name.yaml index 5f4879fd3c..c9d6c438c9 100644 --- a/go/lang/security/audit/unsafe-reflect-by-name.yaml +++ b/go/lang/security/audit/unsafe-reflect-by-name.yaml @@ -27,6 +27,7 @@ rules: - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/audit/xss/import-text-template.yaml b/go/lang/security/audit/xss/import-text-template.yaml index fe37bcce79..ce74bb77c9 100644 --- a/go/lang/security/audit/xss/import-text-template.yaml +++ b/go/lang/security/audit/xss/import-text-template.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml b/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml index 5577c231cc..8dfe2fd577 100644 --- a/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml +++ b/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ technology: diff --git a/go/lang/security/audit/xss/no-fprintf-to-responsewriter.yaml b/go/lang/security/audit/xss/no-fprintf-to-responsewriter.yaml index c6be9d36cf..9088be7e45 100644 --- a/go/lang/security/audit/xss/no-fprintf-to-responsewriter.yaml +++ b/go/lang/security/audit/xss/no-fprintf-to-responsewriter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/go/lang/security/audit/xss/no-interpolation-in-tag.yaml b/go/lang/security/audit/xss/no-interpolation-in-tag.yaml index c1a4beef2a..eca197f3de 100644 --- a/go/lang/security/audit/xss/no-interpolation-in-tag.yaml +++ b/go/lang/security/audit/xss/no-interpolation-in-tag.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/golang/go/issues/19669 - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ diff --git a/go/lang/security/audit/xss/no-interpolation-js-template-string.yaml b/go/lang/security/audit/xss/no-interpolation-js-template-string.yaml index 9015c72294..03463abc46 100644 --- a/go/lang/security/audit/xss/no-interpolation-js-template-string.yaml +++ b/go/lang/security/audit/xss/no-interpolation-js-template-string.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/golang/go/issues/9200#issuecomment-66100328 - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ diff --git a/go/lang/security/audit/xss/no-io-writestring-to-responsewriter.yaml b/go/lang/security/audit/xss/no-io-writestring-to-responsewriter.yaml index a359cf05fb..6dff93eb21 100644 --- a/go/lang/security/audit/xss/no-io-writestring-to-responsewriter.yaml +++ b/go/lang/security/audit/xss/no-io-writestring-to-responsewriter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/go/lang/security/audit/xss/no-printf-in-responsewriter.yaml b/go/lang/security/audit/xss/no-printf-in-responsewriter.yaml index 22ae6872ed..d449fcb6ed 100644 --- a/go/lang/security/audit/xss/no-printf-in-responsewriter.yaml +++ b/go/lang/security/audit/xss/no-printf-in-responsewriter.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/go/lang/security/audit/xss/template-html-does-not-escape.yaml b/go/lang/security/audit/xss/template-html-does-not-escape.yaml index 031ae96609..f8d489074a 100644 --- a/go/lang/security/audit/xss/template-html-does-not-escape.yaml +++ b/go/lang/security/audit/xss/template-html-does-not-escape.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTML - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33 diff --git a/go/lang/security/audit/xxe/parsing-external-entities-enabled.yaml b/go/lang/security/audit/xxe/parsing-external-entities-enabled.yaml index d0ff217894..27d4001521 100644 --- a/go/lang/security/audit/xxe/parsing-external-entities-enabled.yaml +++ b/go/lang/security/audit/xxe/parsing-external-entities-enabled.yaml @@ -19,6 +19,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://knowledge-base.secureflag.com/vulnerabilities/xml_injection/xml_entity_expansion_go_lang.html - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing diff --git a/go/lang/security/bad_tmp.yaml b/go/lang/security/bad_tmp.yaml index 860d45505c..85620a93a7 100644 --- a/go/lang/security/bad_tmp.yaml +++ b/go/lang/security/bad_tmp.yaml @@ -13,6 +13,7 @@ rules: confidence: LOW owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://pkg.go.dev/io/ioutil#TempFile diff --git a/go/lang/security/deserialization/unsafe-deserialization-interface.go b/go/lang/security/deserialization/unsafe-deserialization-interface.go new file mode 100644 index 0000000000..8ed1717aee --- /dev/null +++ b/go/lang/security/deserialization/unsafe-deserialization-interface.go @@ -0,0 +1,66 @@ +package main + +import ( + "encoding/json" + "encoding/xml" + + "gopkg.in/yaml.v3" +) + +// Vulnerable patterns - should be flagged + +func vulnerableJSON(data []byte) { + // ruleid: go-unsafe-deserialization-interface + var result interface{} + json.Unmarshal(data, &result) +} + +func vulnerableYAML(data []byte) { + // ruleid: go-unsafe-deserialization-interface + var result interface{} + yaml.Unmarshal(data, &result) +} + +func vulnerableXML(data []byte) { + // ruleid: go-unsafe-deserialization-interface + var result interface{} + xml.Unmarshal(data, &result) +} + +// Safe patterns - should NOT be flagged + +type User struct { + ID int `json:"id"` + Name string `json:"name"` + Email string `json:"email"` +} + +func safeJSON(data []byte) { + // ok: go-unsafe-deserialization-interface + var user User + json.Unmarshal(data, &user) +} + +func safeYAML(data []byte) { + // ok: go-unsafe-deserialization-interface + var user User + yaml.Unmarshal(data, &user) +} + +func safeXML(data []byte) { + // ok: go-unsafe-deserialization-interface + var user User + xml.Unmarshal(data, &user) +} + +type Config struct { + Host string `json:"host"` + Port int `json:"port"` +} + +func safeConfigJSON(data []byte) { + // ok: go-unsafe-deserialization-interface + var config Config + json.Unmarshal(data, &config) +} + diff --git a/go/lang/security/deserialization/unsafe-deserialization-interface.yaml b/go/lang/security/deserialization/unsafe-deserialization-interface.yaml new file mode 100644 index 0000000000..4f52c1c25d --- /dev/null +++ b/go/lang/security/deserialization/unsafe-deserialization-interface.yaml @@ -0,0 +1,41 @@ +rules: + - id: go-unsafe-deserialization-interface + languages: + - go + message: >- + Deserializing into `interface{}` allows arbitrary data structures and types, + which can lead to security vulnerabilities (CWE-502). Use a concrete struct + type instead. Consider using github.com/ravisastryk/go-safeinput/safedeserialize + for automatic protection. + severity: WARNING + metadata: + cwe: + - "CWE-502: Deserialization of Untrusted Data" + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + category: security + technology: + - go + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + subcategory: + - vuln + references: + - https://cwe.mitre.org/data/definitions/502.html + - https://github.com/ravisastryk/go-safeinput + patterns: + - pattern-either: + - pattern: | + var $VAR interface{} + ... + json.Unmarshal($DATA, &$VAR) + - pattern: | + var $VAR interface{} + ... + yaml.Unmarshal($DATA, &$VAR) + - pattern: | + var $VAR interface{} + ... + xml.Unmarshal($DATA, &$VAR) diff --git a/go/lang/security/filepath-clean-misuse.yaml b/go/lang/security/filepath-clean-misuse.yaml index 516b6d8505..30f8d31b10 100644 --- a/go/lang/security/filepath-clean-misuse.yaml +++ b/go/lang/security/filepath-clean-misuse.yaml @@ -45,6 +45,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - go diff --git a/go/lang/security/injection/raw-html-format.yaml b/go/lang/security/injection/raw-html-format.yaml index 267b27892c..dc2c93de6d 100644 --- a/go/lang/security/injection/raw-html-format.yaml +++ b/go/lang/security/injection/raw-html-format.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - go diff --git a/go/lang/security/injection/tainted-sql-string.yaml b/go/lang/security/injection/tainted-sql-string.yaml index 78f4a3f64c..d1a6b55976 100644 --- a/go/lang/security/injection/tainted-sql-string.yaml +++ b/go/lang/security/injection/tainted-sql-string.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://golang.org/doc/database/sql-injection - https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/ diff --git a/go/lang/security/injection/tainted-url-host.yaml b/go/lang/security/injection/tainted-url-host.yaml index 999fcaeac6..598f5766ac 100644 --- a/go/lang/security/injection/tainted-url-host.yaml +++ b/go/lang/security/injection/tainted-url-host.yaml @@ -16,6 +16,7 @@ rules: - "CWE-918: Server-Side Request Forgery (SSRF)" owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://goteleport.com/blog/ssrf-attacks/ category: security diff --git a/go/lang/security/zip.yaml b/go/lang/security/zip.yaml index e03aa57bb5..dc13ccfc2c 100644 --- a/go/lang/security/zip.yaml +++ b/go/lang/security/zip.yaml @@ -12,6 +12,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true diff --git a/go/otto/security/audit/dangerous-execution.yaml b/go/otto/security/audit/dangerous-execution.yaml index 9a1c8d35e0..f5e6cb0f90 100644 --- a/go/otto/security/audit/dangerous-execution.yaml +++ b/go/otto/security/audit/dangerous-execution.yaml @@ -10,6 +10,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - otto diff --git a/go/template/security/insecure-types.yaml b/go/template/security/insecure-types.yaml index 3ea82462bd..385ba04c41 100644 --- a/go/template/security/insecure-types.yaml +++ b/go/template/security/insecure-types.yaml @@ -27,6 +27,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/html/security/audit/eval-detected.yaml b/html/security/audit/eval-detected.yaml index 14f9ae7212..586057f7cc 100644 --- a/html/security/audit/eval-detected.yaml +++ b/html/security/audit/eval-detected.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - browser diff --git a/html/security/audit/insecure-document-method.yaml b/html/security/audit/insecure-document-method.yaml index 6a6711df44..8c0b9d361e 100644 --- a/html/security/audit/insecure-document-method.yaml +++ b/html/security/audit/insecure-document-method.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - browser diff --git a/html/security/audit/missing-integrity.yaml b/html/security/audit/missing-integrity.yaml index 823a3baf2f..120e46657a 100644 --- a/html/security/audit/missing-integrity.yaml +++ b/html/security/audit/missing-integrity.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-353: Missing Support for Integrity Check' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures confidence: LOW references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures diff --git a/html/security/plaintext-http-link.yaml b/html/security/plaintext-http-link.yaml index 677d3c3246..2ec997c986 100644 --- a/html/security/plaintext-http-link.yaml +++ b/html/security/plaintext-http-link.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures confidence: HIGH subcategory: - vuln diff --git a/java/aws-lambda/security/tainted-sql-string.yaml b/java/aws-lambda/security/tainted-sql-string.yaml index 7c68ef31f8..ccb1e4098a 100644 --- a/java/aws-lambda/security/tainted-sql-string.yaml +++ b/java/aws-lambda/security/tainted-sql-string.yaml @@ -18,6 +18,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/java/aws-lambda/security/tainted-sqli.yaml b/java/aws-lambda/security/tainted-sqli.yaml index a44a46c7a2..662a054486 100644 --- a/java/aws-lambda/security/tainted-sqli.yaml +++ b/java/aws-lambda/security/tainted-sqli.yaml @@ -60,6 +60,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/java-jwt/security/audit/jwt-decode-without-verify.yaml b/java/java-jwt/security/audit/jwt-decode-without-verify.yaml index 31f62508d1..db7a0207b4 100644 --- a/java/java-jwt/security/audit/jwt-decode-without-verify.yaml +++ b/java/java-jwt/security/audit/jwt-decode-without-verify.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/java/java-jwt/security/jwt-hardcode.yaml b/java/java-jwt/security/jwt-hardcode.yaml index 02c18a2bb8..900881f070 100644 --- a/java/java-jwt/security/jwt-hardcode.yaml +++ b/java/java-jwt/security/jwt-hardcode.yaml @@ -13,6 +13,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures technology: - java - secrets diff --git a/java/java-jwt/security/jwt-none-alg.yaml b/java/java-jwt/security/jwt-none-alg.yaml index 083d7ec6ba..2d7e677c4f 100644 --- a/java/java-jwt/security/jwt-none-alg.yaml +++ b/java/java-jwt/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/java/jax-rs/security/insecure-resteasy.yaml b/java/jax-rs/security/insecure-resteasy.yaml index b1aeddeed9..347d3451d3 100644 --- a/java/jax-rs/security/insecure-resteasy.yaml +++ b/java/jax-rs/security/insecure-resteasy.yaml @@ -19,6 +19,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://access.redhat.com/blogs/766093/posts/3162112 subcategory: @@ -56,6 +57,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://access.redhat.com/blogs/766093/posts/3162112 subcategory: diff --git a/java/jax-rs/security/jax-rs-path-traversal.yaml b/java/jax-rs/security/jax-rs-path-traversal.yaml index 45a1cd6459..ad777d81ec 100644 --- a/java/jax-rs/security/jax-rs-path-traversal.yaml +++ b/java/jax-rs/security/jax-rs-path-traversal.yaml @@ -4,6 +4,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN diff --git a/java/jboss/security/seam-log-injection.yaml b/java/jboss/security/seam-log-injection.yaml index d6b9ef05e1..1d472f03ac 100644 --- a/java/jboss/security/seam-log-injection.yaml +++ b/java/jboss/security/seam-log-injection.yaml @@ -25,6 +25,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION category: security technology: diff --git a/java/jboss/security/session_sqli.yaml b/java/jboss/security/session_sqli.yaml index 7de013a7af..86078399ef 100644 --- a/java/jboss/security/session_sqli.yaml +++ b/java/jboss/security/session_sqli.yaml @@ -39,6 +39,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/jjwt/security/jwt-none-alg.yaml b/java/jjwt/security/jwt-none-alg.yaml index 346ecadc46..e36085e6d0 100644 --- a/java/jjwt/security/jwt-none-alg.yaml +++ b/java/jjwt/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' diff --git a/java/lang/security/audit/anonymous-ldap-bind.yaml b/java/lang/security/audit/anonymous-ldap-bind.yaml index 4bec5f5523..8af6ac4dae 100644 --- a/java/lang/security/audit/anonymous-ldap-bind.yaml +++ b/java/lang/security/audit/anonymous-ldap-bind.yaml @@ -6,6 +6,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS category: security technology: diff --git a/java/lang/security/audit/blowfish-insufficient-key-size.yaml b/java/lang/security/audit/blowfish-insufficient-key-size.yaml index f34e5ffa95..40c7bb6e04 100644 --- a/java/lang/security/audit/blowfish-insufficient-key-size.yaml +++ b/java/lang/security/audit/blowfish-insufficient-key-size.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/cbc-padding-oracle.yaml b/java/lang/security/audit/cbc-padding-oracle.yaml index 204091aba5..abb50fca61 100644 --- a/java/lang/security/audit/cbc-padding-oracle.yaml +++ b/java/lang/security/audit/cbc-padding-oracle.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE references: - https://capec.mitre.org/data/definitions/463.html diff --git a/java/lang/security/audit/command-injection-formatted-runtime-call.yaml b/java/lang/security/audit/command-injection-formatted-runtime-call.yaml index 275060bf77..fd0f5e7b4a 100644 --- a/java/lang/security/audit/command-injection-formatted-runtime-call.yaml +++ b/java/lang/security/audit/command-injection-formatted-runtime-call.yaml @@ -71,6 +71,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. category: security technology: diff --git a/java/lang/security/audit/command-injection-process-builder.yaml b/java/lang/security/audit/command-injection-process-builder.yaml index 750e721b49..8be3d13858 100644 --- a/java/lang/security/audit/command-injection-process-builder.yaml +++ b/java/lang/security/audit/command-injection-process-builder.yaml @@ -130,6 +130,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - java diff --git a/java/lang/security/audit/cookie-missing-httponly.yaml b/java/lang/security/audit/cookie-missing-httponly.yaml index 85f0a765aa..0711f823db 100644 --- a/java/lang/security/audit/cookie-missing-httponly.yaml +++ b/java/lang/security/audit/cookie-missing-httponly.yaml @@ -5,6 +5,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE asvs: section: 'V3: Session Management Verification Requirements' diff --git a/java/lang/security/audit/cookie-missing-secure-flag.yaml b/java/lang/security/audit/cookie-missing-secure-flag.yaml index d4b9573659..de2bdc1a15 100644 --- a/java/lang/security/audit/cookie-missing-secure-flag.yaml +++ b/java/lang/security/audit/cookie-missing-secure-flag.yaml @@ -5,6 +5,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE asvs: section: 'V3: Session Management Verification Requirements' diff --git a/java/lang/security/audit/crlf-injection-logs.yaml b/java/lang/security/audit/crlf-injection-logs.yaml index b51510e695..392d8dd48c 100644 --- a/java/lang/security/audit/crlf-injection-logs.yaml +++ b/java/lang/security/audit/crlf-injection-logs.yaml @@ -8,6 +8,7 @@ rules: - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS category: security technology: diff --git a/java/lang/security/audit/crypto/des-is-deprecated.yaml b/java/lang/security/audit/crypto/des-is-deprecated.yaml index b46f3723d1..a2985bd5ac 100644 --- a/java/lang/security/audit/crypto/des-is-deprecated.yaml +++ b/java/lang/security/audit/crypto/des-is-deprecated.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DES_USAGE asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/crypto/desede-is-deprecated.yaml b/java/lang/security/audit/crypto/desede-is-deprecated.yaml index 8e1eff9f86..5b2740a44a 100644 --- a/java/lang/security/audit/crypto/desede-is-deprecated.yaml +++ b/java/lang/security/audit/crypto/desede-is-deprecated.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE references: - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA diff --git a/java/lang/security/audit/crypto/ecb-cipher.yaml b/java/lang/security/audit/crypto/ecb-cipher.yaml index c7ecd46cfe..31e16af71f 100644 --- a/java/lang/security/audit/crypto/ecb-cipher.yaml +++ b/java/lang/security/audit/crypto/ecb-cipher.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE category: security technology: diff --git a/java/lang/security/audit/crypto/gcm-detection.yaml b/java/lang/security/audit/crypto/gcm-detection.yaml index e2f9c65524..b157856694 100644 --- a/java/lang/security/audit/crypto/gcm-detection.yaml +++ b/java/lang/security/audit/crypto/gcm-detection.yaml @@ -12,6 +12,7 @@ rules: - java owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: MEDIUM diff --git a/java/lang/security/audit/crypto/gcm-nonce-reuse.yaml b/java/lang/security/audit/crypto/gcm-nonce-reuse.yaml index edd6e1196d..439f817ab8 100644 --- a/java/lang/security/audit/crypto/gcm-nonce-reuse.yaml +++ b/java/lang/security/audit/crypto/gcm-nonce-reuse.yaml @@ -11,6 +11,7 @@ rules: - java owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: diff --git a/java/lang/security/audit/crypto/no-null-cipher.yaml b/java/lang/security/audit/crypto/no-null-cipher.yaml index a9a3c94aac..de0c653586 100644 --- a/java/lang/security/audit/crypto/no-null-cipher.yaml +++ b/java/lang/security/audit/crypto/no-null-cipher.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/crypto/no-static-initialization-vector.yaml b/java/lang/security/audit/crypto/no-static-initialization-vector.yaml index 0bf165f551..2cea6e9a5e 100644 --- a/java/lang/security/audit/crypto/no-static-initialization-vector.yaml +++ b/java/lang/security/audit/crypto/no-static-initialization-vector.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-329: Generation of Predictable IV with CBC Mode' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#STATIC_IV asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/crypto/rsa-no-padding.yaml b/java/lang/security/audit/crypto/rsa-no-padding.yaml index 0a898e7ec4..1036c5303d 100644 --- a/java/lang/security/audit/crypto/rsa-no-padding.yaml +++ b/java/lang/security/audit/crypto/rsa-no-padding.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING references: - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ diff --git a/java/lang/security/audit/crypto/ssl/avoid-implementing-custom-digests.yaml b/java/lang/security/audit/crypto/ssl/avoid-implementing-custom-digests.yaml index 5a508f863f..8754c49a6a 100644 --- a/java/lang/security/audit/crypto/ssl/avoid-implementing-custom-digests.yaml +++ b/java/lang/security/audit/crypto/ssl/avoid-implementing-custom-digests.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/crypto/ssl/defaulthttpclient-is-deprecated.yaml b/java/lang/security/audit/crypto/ssl/defaulthttpclient-is-deprecated.yaml index b119c536be..c5d3b1631d 100644 --- a/java/lang/security/audit/crypto/ssl/defaulthttpclient-is-deprecated.yaml +++ b/java/lang/security/audit/crypto/ssl/defaulthttpclient-is-deprecated.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT asvs: section: V9 Communications Verification Requirements diff --git a/java/lang/security/audit/crypto/ssl/insecure-hostname-verifier.yaml b/java/lang/security/audit/crypto/ssl/insecure-hostname-verifier.yaml index 65879e3262..43526e1252 100644 --- a/java/lang/security/audit/crypto/ssl/insecure-hostname-verifier.yaml +++ b/java/lang/security/audit/crypto/ssl/insecure-hostname-verifier.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER asvs: section: V9 Communications Verification Requirements diff --git a/java/lang/security/audit/crypto/ssl/insecure-trust-manager.yaml b/java/lang/security/audit/crypto/ssl/insecure-trust-manager.yaml index c36c33f960..910f54b8c5 100644 --- a/java/lang/security/audit/crypto/ssl/insecure-trust-manager.yaml +++ b/java/lang/security/audit/crypto/ssl/insecure-trust-manager.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER asvs: section: V9 Communications Verification Requirements diff --git a/java/lang/security/audit/crypto/unencrypted-socket.yaml b/java/lang/security/audit/crypto/unencrypted-socket.yaml index b26ea9c113..bb7fca47cd 100644 --- a/java/lang/security/audit/crypto/unencrypted-socket.yaml +++ b/java/lang/security/audit/crypto/unencrypted-socket.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/crypto/use-of-aes-ecb.yaml b/java/lang/security/audit/crypto/use-of-aes-ecb.yaml index 0cc32cd146..2315e864a0 100644 --- a/java/lang/security/audit/crypto/use-of-aes-ecb.yaml +++ b/java/lang/security/audit/crypto/use-of-aes-ecb.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - java diff --git a/java/lang/security/audit/crypto/use-of-blowfish.yaml b/java/lang/security/audit/crypto/use-of-blowfish.yaml index 50e672663d..8dc27b432b 100644 --- a/java/lang/security/audit/crypto/use-of-blowfish.yaml +++ b/java/lang/security/audit/crypto/use-of-blowfish.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - java diff --git a/java/lang/security/audit/crypto/use-of-default-aes.yaml b/java/lang/security/audit/crypto/use-of-default-aes.yaml index 06db99fe05..5c16bf0079 100644 --- a/java/lang/security/audit/crypto/use-of-default-aes.yaml +++ b/java/lang/security/audit/crypto/use-of-default-aes.yaml @@ -39,6 +39,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - java diff --git a/java/lang/security/audit/crypto/use-of-md5-digest-utils.yaml b/java/lang/security/audit/crypto/use-of-md5-digest-utils.yaml index 02abd4a839..ed9513f5fb 100644 --- a/java/lang/security/audit/crypto/use-of-md5-digest-utils.yaml +++ b/java/lang/security/audit/crypto/use-of-md5-digest-utils.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 diff --git a/java/lang/security/audit/crypto/use-of-md5.yaml b/java/lang/security/audit/crypto/use-of-md5.yaml index c50e3cabe3..15d8f45591 100644 --- a/java/lang/security/audit/crypto/use-of-md5.yaml +++ b/java/lang/security/audit/crypto/use-of-md5.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 diff --git a/java/lang/security/audit/crypto/use-of-rc2.yaml b/java/lang/security/audit/crypto/use-of-rc2.yaml index bef584c22f..5fc61335d5 100644 --- a/java/lang/security/audit/crypto/use-of-rc2.yaml +++ b/java/lang/security/audit/crypto/use-of-rc2.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - java diff --git a/java/lang/security/audit/crypto/use-of-rc4.yaml b/java/lang/security/audit/crypto/use-of-rc4.yaml index 5b83eeae8f..f147e7bedf 100644 --- a/java/lang/security/audit/crypto/use-of-rc4.yaml +++ b/java/lang/security/audit/crypto/use-of-rc4.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - java diff --git a/java/lang/security/audit/crypto/use-of-sha1.yaml b/java/lang/security/audit/crypto/use-of-sha1.yaml index 0deaa979e4..d95edb95b6 100644 --- a/java/lang/security/audit/crypto/use-of-sha1.yaml +++ b/java/lang/security/audit/crypto/use-of-sha1.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 diff --git a/java/lang/security/audit/crypto/use-of-sha224.yaml b/java/lang/security/audit/crypto/use-of-sha224.yaml index 0f1bb6c51b..3fa013b255 100644 --- a/java/lang/security/audit/crypto/use-of-sha224.yaml +++ b/java/lang/security/audit/crypto/use-of-sha224.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' asvs: diff --git a/java/lang/security/audit/crypto/weak-random.yaml b/java/lang/security/audit/crypto/weak-random.yaml index 2bb9c50cff..24b95a2807 100644 --- a/java/lang/security/audit/crypto/weak-random.yaml +++ b/java/lang/security/audit/crypto/weak-random.yaml @@ -11,6 +11,7 @@ rules: - 'crypto::search::randomness::java.security' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-330: Use of Insufficiently Random Values' category: security diff --git a/java/lang/security/audit/crypto/weak-rsa.yaml b/java/lang/security/audit/crypto/weak-rsa.yaml index 1bf90620bc..fad194fad5 100644 --- a/java/lang/security/audit/crypto/weak-rsa.yaml +++ b/java/lang/security/audit/crypto/weak-rsa.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/java/lang/security/audit/dangerous-groovy-shell.yaml b/java/lang/security/audit/dangerous-groovy-shell.yaml index f797e7de5e..1cd962e7fb 100644 --- a/java/lang/security/audit/dangerous-groovy-shell.yaml +++ b/java/lang/security/audit/dangerous-groovy-shell.yaml @@ -29,6 +29,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL category: security technology: diff --git a/java/lang/security/audit/el-injection.yaml b/java/lang/security/audit/el-injection.yaml index 4bcac87ab0..df9bdc9297 100644 --- a/java/lang/security/audit/el-injection.yaml +++ b/java/lang/security/audit/el-injection.yaml @@ -5,6 +5,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION category: security technology: diff --git a/java/lang/security/audit/formatted-sql-string.yaml b/java/lang/security/audit/formatted-sql-string.yaml index 82c38a170b..9b66eea85f 100644 --- a/java/lang/security/audit/formatted-sql-string.yaml +++ b/java/lang/security/audit/formatted-sql-string.yaml @@ -6,6 +6,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' diff --git a/java/lang/security/audit/http-response-splitting.yaml b/java/lang/security/audit/http-response-splitting.yaml index 9e2ccb5b40..0203381829 100644 --- a/java/lang/security/audit/http-response-splitting.yaml +++ b/java/lang/security/audit/http-response-splitting.yaml @@ -5,6 +5,7 @@ rules: - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING references: - https://www.owasp.org/index.php/HTTP_Response_Splitting diff --git a/java/lang/security/audit/insecure-smtp-connection.yaml b/java/lang/security/audit/insecure-smtp-connection.yaml index 8694c80c6e..1bdd02375f 100644 --- a/java/lang/security/audit/insecure-smtp-connection.yaml +++ b/java/lang/security/audit/insecure-smtp-connection.yaml @@ -5,6 +5,7 @@ rules: - 'CWE-297: Improper Validation of Certificate with Host Mismatch' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL category: security technology: diff --git a/java/lang/security/audit/java-reverse-shell.yaml b/java/lang/security/audit/java-reverse-shell.yaml index 2c57f82cbd..3cede9ebeb 100644 --- a/java/lang/security/audit/java-reverse-shell.yaml +++ b/java/lang/security/audit/java-reverse-shell.yaml @@ -29,6 +29,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/jdbc-sql-formatted-string.yaml b/java/lang/security/audit/jdbc-sql-formatted-string.yaml index 0d0b2919d1..d836120c27 100644 --- a/java/lang/security/audit/jdbc-sql-formatted-string.yaml +++ b/java/lang/security/audit/jdbc-sql-formatted-string.yaml @@ -6,6 +6,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' diff --git a/java/lang/security/audit/ldap-entry-poisoning.yaml b/java/lang/security/audit/ldap-entry-poisoning.yaml index b9b0f05c29..1d961eaaa2 100644 --- a/java/lang/security/audit/ldap-entry-poisoning.yaml +++ b/java/lang/security/audit/ldap-entry-poisoning.yaml @@ -4,6 +4,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING diff --git a/java/lang/security/audit/ldap-injection.yaml b/java/lang/security/audit/ldap-injection.yaml index b5f1eb2081..ef7b5aaec7 100644 --- a/java/lang/security/audit/ldap-injection.yaml +++ b/java/lang/security/audit/ldap-injection.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' diff --git a/java/lang/security/audit/md5-used-as-password.yaml b/java/lang/security/audit/md5-used-as-password.yaml index 4fa41213d5..dc9028941b 100644 --- a/java/lang/security/audit/md5-used-as-password.yaml +++ b/java/lang/security/audit/md5-used-as-password.yaml @@ -21,6 +21,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' subcategory: diff --git a/java/lang/security/audit/object-deserialization.yaml b/java/lang/security/audit/object-deserialization.yaml index 5acf41a210..d58e1c5fe8 100644 --- a/java/lang/security/audit/object-deserialization.yaml +++ b/java/lang/security/audit/object-deserialization.yaml @@ -6,6 +6,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION references: - https://www.owasp.org/index.php/Deserialization_of_untrusted_data diff --git a/java/lang/security/audit/ognl-injection.yaml b/java/lang/security/audit/ognl-injection.yaml index a890d24103..48769ca0b8 100644 --- a/java/lang/security/audit/ognl-injection.yaml +++ b/java/lang/security/audit/ognl-injection.yaml @@ -8,6 +8,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION category: security technology: diff --git a/java/lang/security/audit/overly-permissive-file-permission.yaml b/java/lang/security/audit/overly-permissive-file-permission.yaml index 9e1e8da9a4..3933c8a2ea 100644 --- a/java/lang/security/audit/overly-permissive-file-permission.yaml +++ b/java/lang/security/audit/overly-permissive-file-permission.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-276: Incorrect Default Permissions' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION category: security technology: diff --git a/java/lang/security/audit/permissive-cors.yaml b/java/lang/security/audit/permissive-cors.yaml index 998d5084de..408e662b3c 100644 --- a/java/lang/security/audit/permissive-cors.yaml +++ b/java/lang/security/audit/permissive-cors.yaml @@ -18,6 +18,7 @@ rules: - java owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/java/lang/security/audit/script-engine-injection.yaml b/java/lang/security/audit/script-engine-injection.yaml index 817d245e10..6a68f1306c 100644 --- a/java/lang/security/audit/script-engine-injection.yaml +++ b/java/lang/security/audit/script-engine-injection.yaml @@ -9,6 +9,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION category: security technology: diff --git a/java/lang/security/audit/sqli/hibernate-sqli.yaml b/java/lang/security/audit/sqli/hibernate-sqli.yaml index 9414fe7b8e..91d58cd0c9 100644 --- a/java/lang/security/audit/sqli/hibernate-sqli.yaml +++ b/java/lang/security/audit/sqli/hibernate-sqli.yaml @@ -76,6 +76,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/sqli/jdbc-sqli.yaml b/java/lang/security/audit/sqli/jdbc-sqli.yaml index 7c7c865b29..c84256deae 100644 --- a/java/lang/security/audit/sqli/jdbc-sqli.yaml +++ b/java/lang/security/audit/sqli/jdbc-sqli.yaml @@ -51,6 +51,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/sqli/jdo-sqli.yaml b/java/lang/security/audit/sqli/jdo-sqli.yaml index 6d5e9b35ae..481648a275 100644 --- a/java/lang/security/audit/sqli/jdo-sqli.yaml +++ b/java/lang/security/audit/sqli/jdo-sqli.yaml @@ -84,6 +84,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/sqli/jpa-sqli.yaml b/java/lang/security/audit/sqli/jpa-sqli.yaml index 268ca1eb8f..ee5e4fc273 100644 --- a/java/lang/security/audit/sqli/jpa-sqli.yaml +++ b/java/lang/security/audit/sqli/jpa-sqli.yaml @@ -51,6 +51,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml b/java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml index fa96a5483e..d75e082a36 100644 --- a/java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml +++ b/java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml @@ -18,6 +18,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html - https://owasp.org/www-community/attacks/SQL_Injection diff --git a/java/lang/security/audit/sqli/turbine-sqli.yaml b/java/lang/security/audit/sqli/turbine-sqli.yaml index 3780fd6472..fd704d60fb 100644 --- a/java/lang/security/audit/sqli/turbine-sqli.yaml +++ b/java/lang/security/audit/sqli/turbine-sqli.yaml @@ -83,6 +83,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/sqli/vertx-sqli.yaml b/java/lang/security/audit/sqli/vertx-sqli.yaml index 3cbadc8248..4aa27e7e85 100644 --- a/java/lang/security/audit/sqli/vertx-sqli.yaml +++ b/java/lang/security/audit/sqli/vertx-sqli.yaml @@ -58,6 +58,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/tainted-cmd-from-http-request.yaml b/java/lang/security/audit/tainted-cmd-from-http-request.yaml index 9e8d177d90..fbcc793201 100644 --- a/java/lang/security/audit/tainted-cmd-from-http-request.yaml +++ b/java/lang/security/audit/tainted-cmd-from-http-request.yaml @@ -62,6 +62,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/lang/security/audit/tainted-env-from-http-request.yaml b/java/lang/security/audit/tainted-env-from-http-request.yaml index b39620e8d3..5f08b77142 100644 --- a/java/lang/security/audit/tainted-env-from-http-request.yaml +++ b/java/lang/security/audit/tainted-env-from-http-request.yaml @@ -34,6 +34,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: false diff --git a/java/lang/security/audit/tainted-ldapi-from-http-request.yaml b/java/lang/security/audit/tainted-ldapi-from-http-request.yaml index 6d47fb24c9..e8e84cb6cd 100644 --- a/java/lang/security/audit/tainted-ldapi-from-http-request.yaml +++ b/java/lang/security/audit/tainted-ldapi-from-http-request.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection category: security diff --git a/java/lang/security/audit/tainted-session-from-http-request.yaml b/java/lang/security/audit/tainted-session-from-http-request.yaml index 7bd3a58c8b..21eaa54a0e 100644 --- a/java/lang/security/audit/tainted-session-from-http-request.yaml +++ b/java/lang/security/audit/tainted-session-from-http-request.yaml @@ -59,6 +59,7 @@ rules: - 'CWE-501: Trust Boundary Violation' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/java/lang/security/audit/tainted-xpath-from-http-request.yaml b/java/lang/security/audit/tainted-xpath-from-http-request.yaml index f59c3d93e0..bad05435d7 100644 --- a/java/lang/security/audit/tainted-xpath-from-http-request.yaml +++ b/java/lang/security/audit/tainted-xpath-from-http-request.yaml @@ -28,6 +28,7 @@ rules: - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection subcategory: diff --git a/java/lang/security/audit/unsafe-reflection.yaml b/java/lang/security/audit/unsafe-reflection.yaml index f1cd3c2a9c..3165d12d76 100644 --- a/java/lang/security/audit/unsafe-reflection.yaml +++ b/java/lang/security/audit/unsafe-reflection.yaml @@ -22,6 +22,7 @@ rules: - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection category: security technology: diff --git a/java/lang/security/audit/unvalidated-redirect.yaml b/java/lang/security/audit/unvalidated-redirect.yaml index 25d8f32499..dab4867545 100644 --- a/java/lang/security/audit/unvalidated-redirect.yaml +++ b/java/lang/security/audit/unvalidated-redirect.yaml @@ -9,6 +9,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' diff --git a/java/lang/security/audit/url-rewriting.yaml b/java/lang/security/audit/url-rewriting.yaml index 10b086dfab..074c7b479f 100644 --- a/java/lang/security/audit/url-rewriting.yaml +++ b/java/lang/security/audit/url-rewriting.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING category: security technology: diff --git a/java/lang/security/audit/weak-ssl-context.yaml b/java/lang/security/audit/weak-ssl-context.yaml index c4169fd0c0..d25cfe0406 100644 --- a/java/lang/security/audit/weak-ssl-context.yaml +++ b/java/lang/security/audit/weak-ssl-context.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT references: - https://tools.ietf.org/html/rfc7568 diff --git a/java/lang/security/audit/xml-decoder.yaml b/java/lang/security/audit/xml-decoder.yaml index 4e977ca377..d068dad867 100644 --- a/java/lang/security/audit/xml-decoder.yaml +++ b/java/lang/security/audit/xml-decoder.yaml @@ -12,6 +12,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER references: - https://semgrep.dev/blog/2022/xml-security-in-java diff --git a/java/lang/security/audit/xss/jsp/no-scriptlets.yaml b/java/lang/security/audit/xss/jsp/no-scriptlets.yaml index aa4285dfbc..86e9811840 100644 --- a/java/lang/security/audit/xss/jsp/no-scriptlets.yaml +++ b/java/lang/security/audit/xss/jsp/no-scriptlets.yaml @@ -8,6 +8,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: diff --git a/java/lang/security/audit/xss/jsp/use-escapexml.yaml b/java/lang/security/audit/xss/jsp/use-escapexml.yaml index 3fe7c6fd82..6a4c431097 100644 --- a/java/lang/security/audit/xss/jsp/use-escapexml.yaml +++ b/java/lang/security/audit/xss/jsp/use-escapexml.yaml @@ -10,6 +10,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: diff --git a/java/lang/security/audit/xss/jsp/use-jstl-escaping.yaml b/java/lang/security/audit/xss/jsp/use-jstl-escaping.yaml index 2042f72687..de8d73abe6 100644 --- a/java/lang/security/audit/xss/jsp/use-jstl-escaping.yaml +++ b/java/lang/security/audit/xss/jsp/use-jstl-escaping.yaml @@ -11,6 +11,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: diff --git a/java/lang/security/audit/xss/no-direct-response-writer.yaml b/java/lang/security/audit/xss/no-direct-response-writer.yaml index 377fdec1ee..d9d4073d52 100644 --- a/java/lang/security/audit/xss/no-direct-response-writer.yaml +++ b/java/lang/security/audit/xss/no-direct-response-writer.yaml @@ -21,6 +21,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html subcategory: diff --git a/java/lang/security/audit/xssrequestwrapper-is-insecure.yaml b/java/lang/security/audit/xssrequestwrapper-is-insecure.yaml index 80f970d9a0..7341df8cdd 100644 --- a/java/lang/security/audit/xssrequestwrapper-is-insecure.yaml +++ b/java/lang/security/audit/xssrequestwrapper-is-insecure.yaml @@ -4,6 +4,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER diff --git a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-false.yaml b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-false.yaml index 860ceb3f04..7c9f123515 100644 --- a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-false.yaml +++ b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-false.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.yaml b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.yaml index d3787de2f7..bc5fa84945 100644 --- a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.yaml +++ b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/audit/xxe/documentbuilderfactory-external-general-entities-true.yaml b/java/lang/security/audit/xxe/documentbuilderfactory-external-general-entities-true.yaml index f8c49a172f..61d9d631f5 100644 --- a/java/lang/security/audit/xxe/documentbuilderfactory-external-general-entities-true.yaml +++ b/java/lang/security/audit/xxe/documentbuilderfactory-external-general-entities-true.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/audit/xxe/documentbuilderfactory-external-parameter-entities-true.yaml b/java/lang/security/audit/xxe/documentbuilderfactory-external-parameter-entities-true.yaml index 741161294a..ceb3c7dd94 100644 --- a/java/lang/security/audit/xxe/documentbuilderfactory-external-parameter-entities-true.yaml +++ b/java/lang/security/audit/xxe/documentbuilderfactory-external-parameter-entities-true.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/audit/xxe/saxparserfactory-disallow-doctype-decl-missing.yaml b/java/lang/security/audit/xxe/saxparserfactory-disallow-doctype-decl-missing.yaml index 495aaa841c..484be85c2a 100644 --- a/java/lang/security/audit/xxe/saxparserfactory-disallow-doctype-decl-missing.yaml +++ b/java/lang/security/audit/xxe/saxparserfactory-disallow-doctype-decl-missing.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/audit/xxe/transformerfactory-dtds-not-disabled.yaml b/java/lang/security/audit/xxe/transformerfactory-dtds-not-disabled.yaml index 3a3396fd49..07e532db88 100644 --- a/java/lang/security/audit/xxe/transformerfactory-dtds-not-disabled.yaml +++ b/java/lang/security/audit/xxe/transformerfactory-dtds-not-disabled.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/do-privileged-use.yaml b/java/lang/security/do-privileged-use.yaml index e337147ea0..e2d37e9a66 100644 --- a/java/lang/security/do-privileged-use.yaml +++ b/java/lang/security/do-privileged-use.yaml @@ -15,6 +15,7 @@ rules: - java owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/java/lang/security/httpservlet-path-traversal.yaml b/java/lang/security/httpservlet-path-traversal.yaml index ea87c30d41..e20b4ddab3 100644 --- a/java/lang/security/httpservlet-path-traversal.yaml +++ b/java/lang/security/httpservlet-path-traversal.yaml @@ -6,6 +6,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN references: - https://www.owasp.org/index.php/Path_Traversal diff --git a/java/lang/security/insecure-jms-deserialization.yaml b/java/lang/security/insecure-jms-deserialization.yaml index ca061605bb..57eab11994 100644 --- a/java/lang/security/insecure-jms-deserialization.yaml +++ b/java/lang/security/insecure-jms-deserialization.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.3 Insecue Deserialization diff --git a/java/lang/security/servletresponse-writer-xss.yaml b/java/lang/security/servletresponse-writer-xss.yaml index 69f2ab27dd..7ee5495af8 100644 --- a/java/lang/security/servletresponse-writer-xss.yaml +++ b/java/lang/security/servletresponse-writer-xss.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET category: security technology: diff --git a/java/lang/security/use-snakeyaml-constructor.yaml b/java/lang/security/use-snakeyaml-constructor.yaml index 6f125a7f85..13ea0abf2e 100644 --- a/java/lang/security/use-snakeyaml-constructor.yaml +++ b/java/lang/security/use-snakeyaml-constructor.yaml @@ -6,6 +6,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml index 0d4c3a8734..05254c2a64 100644 --- a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml +++ b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/lang/security/xmlinputfactory-possible-xxe.yaml b/java/lang/security/xmlinputfactory-possible-xxe.yaml index 5d9a82dff0..8c461d7025 100644 --- a/java/lang/security/xmlinputfactory-possible-xxe.yaml +++ b/java/lang/security/xmlinputfactory-possible-xxe.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization diff --git a/java/mongodb/security/injection/audit/mongodb-nosqli.yaml b/java/mongodb/security/injection/audit/mongodb-nosqli.yaml index ff27315f75..14b4358407 100644 --- a/java/mongodb/security/injection/audit/mongodb-nosqli.yaml +++ b/java/mongodb/security/injection/audit/mongodb-nosqli.yaml @@ -53,6 +53,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.4 Injection Prevention diff --git a/java/rmi/security/server-dangerous-class-deserialization.yaml b/java/rmi/security/server-dangerous-class-deserialization.yaml index 175daed4b0..1d318187af 100644 --- a/java/rmi/security/server-dangerous-class-deserialization.yaml +++ b/java/rmi/security/server-dangerous-class-deserialization.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ category: security diff --git a/java/rmi/security/server-dangerous-object-deserialization.yaml b/java/rmi/security/server-dangerous-object-deserialization.yaml index 1e95c95c12..0eb9d6e441 100644 --- a/java/rmi/security/server-dangerous-object-deserialization.yaml +++ b/java/rmi/security/server-dangerous-object-deserialization.yaml @@ -7,6 +7,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://frohoff.github.io/appseccali-marshalling-pickles/ - https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi diff --git a/java/servlets/security/cookie-issecure-false.yaml b/java/servlets/security/cookie-issecure-false.yaml index 940c34ba5c..292c778a5e 100644 --- a/java/servlets/security/cookie-issecure-false.yaml +++ b/java/servlets/security/cookie-issecure-false.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - "CWE-319: Cleartext Transmission of Sensitive Information" references: diff --git a/java/servlets/security/cookie-setSecure.yaml b/java/servlets/security/cookie-setSecure.yaml index 80ef1e9f67..411ebc0f89 100644 --- a/java/servlets/security/cookie-setSecure.yaml +++ b/java/servlets/security/cookie-setSecure.yaml @@ -22,6 +22,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - "CWE-319: Cleartext Transmission of Sensitive Information" references: diff --git a/java/spring/security/audit/spel-injection.yaml b/java/spring/security/audit/spel-injection.yaml index 202e962fea..e321917a60 100644 --- a/java/spring/security/audit/spel-injection.yaml +++ b/java/spring/security/audit/spel-injection.yaml @@ -8,6 +8,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION category: security technology: diff --git a/java/spring/security/audit/spring-actuator-fully-enabled-yaml.yaml b/java/spring/security/audit/spring-actuator-fully-enabled-yaml.yaml index 5a7b1dccec..790c821b66 100644 --- a/java/spring/security/audit/spring-actuator-fully-enabled-yaml.yaml +++ b/java/spring/security/audit/spring-actuator-fully-enabled-yaml.yaml @@ -24,6 +24,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 diff --git a/java/spring/security/audit/spring-actuator-fully-enabled.yaml b/java/spring/security/audit/spring-actuator-fully-enabled.yaml index a4e0d52cfb..f95e556bf6 100644 --- a/java/spring/security/audit/spring-actuator-fully-enabled.yaml +++ b/java/spring/security/audit/spring-actuator-fully-enabled.yaml @@ -16,6 +16,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 diff --git a/java/spring/security/audit/spring-actuator-non-health-enabled-yaml.yaml b/java/spring/security/audit/spring-actuator-non-health-enabled-yaml.yaml index fdd51923f4..f96303e06c 100644 --- a/java/spring/security/audit/spring-actuator-non-health-enabled-yaml.yaml +++ b/java/spring/security/audit/spring-actuator-non-health-enabled-yaml.yaml @@ -27,6 +27,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 diff --git a/java/spring/security/audit/spring-actuator-non-health-enabled.yaml b/java/spring/security/audit/spring-actuator-non-health-enabled.yaml index f80a22d136..ba4a231797 100644 --- a/java/spring/security/audit/spring-actuator-non-health-enabled.yaml +++ b/java/spring/security/audit/spring-actuator-non-health-enabled.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 diff --git a/java/spring/security/audit/spring-csrf-disabled.yaml b/java/spring/security/audit/spring-csrf-disabled.yaml index cb7cd8b265..245227955a 100644 --- a/java/spring/security/audit/spring-csrf-disabled.yaml +++ b/java/spring/security/audit/spring-csrf-disabled.yaml @@ -7,6 +7,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED asvs: section: V4 Access Control diff --git a/java/spring/security/audit/spring-jsp-eval.yaml b/java/spring/security/audit/spring-jsp-eval.yaml index 18161fc766..61c6ebade7 100644 --- a/java/spring/security/audit/spring-jsp-eval.yaml +++ b/java/spring/security/audit/spring-jsp-eval.yaml @@ -12,6 +12,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL category: security technology: diff --git a/java/spring/security/audit/spring-sqli.yaml b/java/spring/security/audit/spring-sqli.yaml index 4461a141b4..6e71af0cb9 100644 --- a/java/spring/security/audit/spring-sqli.yaml +++ b/java/spring/security/audit/spring-sqli.yaml @@ -56,6 +56,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/java/spring/security/audit/spring-unvalidated-redirect.yaml b/java/spring/security/audit/spring-unvalidated-redirect.yaml index e87f6a7ea4..f61239d309 100644 --- a/java/spring/security/audit/spring-unvalidated-redirect.yaml +++ b/java/spring/security/audit/spring-unvalidated-redirect.yaml @@ -8,6 +8,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT category: security technology: diff --git a/java/spring/security/injection/tainted-file-path.yaml b/java/spring/security/injection/tainted-file-path.yaml index 189ec660c7..04717a411c 100644 --- a/java/spring/security/injection/tainted-file-path.yaml +++ b/java/spring/security/injection/tainted-file-path.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-23: Relative Path Traversal' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security diff --git a/java/spring/security/injection/tainted-html-string.yaml b/java/spring/security/injection/tainted-html-string.yaml index 1551da062d..2762fbecb0 100644 --- a/java/spring/security/injection/tainted-html-string.yaml +++ b/java/spring/security/injection/tainted-html-string.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html category: security diff --git a/java/spring/security/injection/tainted-sql-string.yaml b/java/spring/security/injection/tainted-sql-string.yaml index 593d8d7971..18e0676913 100644 --- a/java/spring/security/injection/tainted-sql-string.yaml +++ b/java/spring/security/injection/tainted-sql-string.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security diff --git a/java/spring/security/injection/tainted-system-command.yaml b/java/spring/security/injection/tainted-system-command.yaml index 2d2f493552..f30b86f412 100644 --- a/java/spring/security/injection/tainted-system-command.yaml +++ b/java/spring/security/injection/tainted-system-command.yaml @@ -87,6 +87,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - java diff --git a/java/spring/security/injection/tainted-url-host.yaml b/java/spring/security/injection/tainted-url-host.yaml index 0ff2242187..17a2e80aeb 100644 --- a/java/spring/security/injection/tainted-url-host.yaml +++ b/java/spring/security/injection/tainted-url-host.yaml @@ -19,6 +19,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/java/spring/security/unrestricted-request-mapping.yaml b/java/spring/security/unrestricted-request-mapping.yaml index 7e3e5c5f15..d3609a7b8f 100644 --- a/java/spring/security/unrestricted-request-mapping.yaml +++ b/java/spring/security/unrestricted-request-mapping.yaml @@ -22,6 +22,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING references: - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING diff --git a/javascript/angular/security/detect-angular-element-methods.yaml b/javascript/angular/security/detect-angular-element-methods.yaml index 6df7784637..dc92fa01b6 100644 --- a/javascript/angular/security/detect-angular-element-methods.yaml +++ b/javascript/angular/security/detect-angular-element-methods.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-element-taint.yaml b/javascript/angular/security/detect-angular-element-taint.yaml index d7428c76d6..9f5bf1ab1e 100644 --- a/javascript/angular/security/detect-angular-element-taint.yaml +++ b/javascript/angular/security/detect-angular-element-taint.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-open-redirect.yaml b/javascript/angular/security/detect-angular-open-redirect.yaml index 8ecf6f0788..d9377f1b89 100644 --- a/javascript/angular/security/detect-angular-open-redirect.yaml +++ b/javascript/angular/security/detect-angular-open-redirect.yaml @@ -19,6 +19,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-resource-loading.yaml b/javascript/angular/security/detect-angular-resource-loading.yaml index c44e10b27b..99e9ca692d 100644 --- a/javascript/angular/security/detect-angular-resource-loading.yaml +++ b/javascript/angular/security/detect-angular-resource-loading.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-sce-disabled.yaml b/javascript/angular/security/detect-angular-sce-disabled.yaml index 9cc34e0bc2..941c2da41e 100644 --- a/javascript/angular/security/detect-angular-sce-disabled.yaml +++ b/javascript/angular/security/detect-angular-sce-disabled.yaml @@ -15,6 +15,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-trust-as-css.yaml b/javascript/angular/security/detect-angular-trust-as-css.yaml index c27e82d507..e12389df18 100644 --- a/javascript/angular/security/detect-angular-trust-as-css.yaml +++ b/javascript/angular/security/detect-angular-trust-as-css.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsCss - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf diff --git a/javascript/angular/security/detect-angular-trust-as-html-method.yaml b/javascript/angular/security/detect-angular-trust-as-html-method.yaml index 6bd2f85968..97682d47ea 100644 --- a/javascript/angular/security/detect-angular-trust-as-html-method.yaml +++ b/javascript/angular/security/detect-angular-trust-as-html-method.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf diff --git a/javascript/angular/security/detect-angular-trust-as-js-method.yaml b/javascript/angular/security/detect-angular-trust-as-js-method.yaml index 9782ae9d3e..82c82bde55 100644 --- a/javascript/angular/security/detect-angular-trust-as-js-method.yaml +++ b/javascript/angular/security/detect-angular-trust-as-js-method.yaml @@ -6,6 +6,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf diff --git a/javascript/angular/security/detect-angular-trust-as-method.yaml b/javascript/angular/security/detect-angular-trust-as-method.yaml index b24676524e..7d7921727a 100644 --- a/javascript/angular/security/detect-angular-trust-as-method.yaml +++ b/javascript/angular/security/detect-angular-trust-as-method.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/angular/security/detect-angular-trust-as-resourceurl-method.yaml b/javascript/angular/security/detect-angular-trust-as-resourceurl-method.yaml index 09cb95523e..fea41cd714 100644 --- a/javascript/angular/security/detect-angular-trust-as-resourceurl-method.yaml +++ b/javascript/angular/security/detect-angular-trust-as-resourceurl-method.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf diff --git a/javascript/angular/security/detect-angular-trust-as-url-method.yaml b/javascript/angular/security/detect-angular-trust-as-url-method.yaml index cdb16268d4..b4919e18e9 100644 --- a/javascript/angular/security/detect-angular-trust-as-url-method.yaml +++ b/javascript/angular/security/detect-angular-trust-as-url-method.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf diff --git a/javascript/angular/security/detect-third-party-angular-translate.yaml b/javascript/angular/security/detect-third-party-angular-translate.yaml index 1ea4a41882..5988ae3c69 100644 --- a/javascript/angular/security/detect-third-party-angular-translate.yaml +++ b/javascript/angular/security/detect-third-party-angular-translate.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/apollo/security/apollo-axios-ssrf.yaml b/javascript/apollo/security/apollo-axios-ssrf.yaml index 08e8869315..13eccc4a21 100644 --- a/javascript/apollo/security/apollo-axios-ssrf.yaml +++ b/javascript/apollo/security/apollo-axios-ssrf.yaml @@ -10,6 +10,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/argon2/security/unsafe-argon2-config.yaml b/javascript/argon2/security/unsafe-argon2-config.yaml index 0b47fc0bb9..f38b579873 100644 --- a/javascript/argon2/security/unsafe-argon2-config.yaml +++ b/javascript/argon2/security/unsafe-argon2-config.yaml @@ -17,6 +17,7 @@ rules: - cryptography owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln impact: LOW diff --git a/javascript/audit/detect-replaceall-sanitization.yaml b/javascript/audit/detect-replaceall-sanitization.yaml index dd3da15bdb..1ac951515b 100644 --- a/javascript/audit/detect-replaceall-sanitization.yaml +++ b/javascript/audit/detect-replaceall-sanitization.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/javascript/aws-lambda/security/detect-child-process.yaml b/javascript/aws-lambda/security/detect-child-process.yaml index 94b8d7dc30..4ab50d41cd 100644 --- a/javascript/aws-lambda/security/detect-child-process.yaml +++ b/javascript/aws-lambda/security/detect-child-process.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - javascript diff --git a/javascript/aws-lambda/security/knex-sqli.yaml b/javascript/aws-lambda/security/knex-sqli.yaml index 36366bdfce..39ba3eaf7d 100644 --- a/javascript/aws-lambda/security/knex-sqli.yaml +++ b/javascript/aws-lambda/security/knex-sqli.yaml @@ -15,6 +15,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/aws-lambda/security/mysql-sqli.yaml b/javascript/aws-lambda/security/mysql-sqli.yaml index e2218b2e4b..080fb62fe6 100644 --- a/javascript/aws-lambda/security/mysql-sqli.yaml +++ b/javascript/aws-lambda/security/mysql-sqli.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/aws-lambda/security/pg-sqli.yaml b/javascript/aws-lambda/security/pg-sqli.yaml index f994bca4f6..c6bde56f96 100644 --- a/javascript/aws-lambda/security/pg-sqli.yaml +++ b/javascript/aws-lambda/security/pg-sqli.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/aws-lambda/security/sequelize-sqli.yaml b/javascript/aws-lambda/security/sequelize-sqli.yaml index 9b3f9ee99f..64d424c7ae 100644 --- a/javascript/aws-lambda/security/sequelize-sqli.yaml +++ b/javascript/aws-lambda/security/sequelize-sqli.yaml @@ -15,6 +15,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/aws-lambda/security/tainted-eval.yaml b/javascript/aws-lambda/security/tainted-eval.yaml index 335a9c98f5..48012408a0 100644 --- a/javascript/aws-lambda/security/tainted-eval.yaml +++ b/javascript/aws-lambda/security/tainted-eval.yaml @@ -10,6 +10,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - javascript diff --git a/javascript/aws-lambda/security/tainted-html-response.yaml b/javascript/aws-lambda/security/tainted-html-response.yaml index eb7b9f90ab..69e85a8bd1 100644 --- a/javascript/aws-lambda/security/tainted-html-response.yaml +++ b/javascript/aws-lambda/security/tainted-html-response.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - aws-lambda diff --git a/javascript/aws-lambda/security/tainted-html-string.yaml b/javascript/aws-lambda/security/tainted-html-string.yaml index baf8fd1a65..a2f1159d7b 100644 --- a/javascript/aws-lambda/security/tainted-html-string.yaml +++ b/javascript/aws-lambda/security/tainted-html-string.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - aws-lambda diff --git a/javascript/aws-lambda/security/tainted-sql-string.yaml b/javascript/aws-lambda/security/tainted-sql-string.yaml index 59e109aa1f..c4424dba3f 100644 --- a/javascript/aws-lambda/security/tainted-sql-string.yaml +++ b/javascript/aws-lambda/security/tainted-sql-string.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/aws-lambda/security/vm-runincontext-injection.yaml b/javascript/aws-lambda/security/vm-runincontext-injection.yaml index 4283f16a69..c21f179a20 100644 --- a/javascript/aws-lambda/security/vm-runincontext-injection.yaml +++ b/javascript/aws-lambda/security/vm-runincontext-injection.yaml @@ -8,6 +8,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/bluebird/security/audit/tofastproperties-code-execution.yaml b/javascript/bluebird/security/audit/tofastproperties-code-execution.yaml index ed58c6eec7..99213b9c65 100644 --- a/javascript/bluebird/security/audit/tofastproperties-code-execution.yaml +++ b/javascript/bluebird/security/audit/tofastproperties-code-execution.yaml @@ -8,6 +8,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - bluebird diff --git a/javascript/browser/security/dom-based-xss.yaml b/javascript/browser/security/dom-based-xss.yaml index 11ca92e606..fb29566742 100644 --- a/javascript/browser/security/dom-based-xss.yaml +++ b/javascript/browser/security/dom-based-xss.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/DOM_Based_XSS category: security diff --git a/javascript/browser/security/eval-detected.yaml b/javascript/browser/security/eval-detected.yaml index 06f92ab355..94a76f5a82 100644 --- a/javascript/browser/security/eval-detected.yaml +++ b/javascript/browser/security/eval-detected.yaml @@ -10,6 +10,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.2.4 Dynamic Code Execution Features diff --git a/javascript/browser/security/insecure-document-method.yaml b/javascript/browser/security/insecure-document-method.yaml index 2713d71077..9a5764a91f 100644 --- a/javascript/browser/security/insecure-document-method.yaml +++ b/javascript/browser/security/insecure-document-method.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - browser diff --git a/javascript/browser/security/insecure-innerhtml.yaml b/javascript/browser/security/insecure-innerhtml.yaml index 39208f7707..ed4216d6b0 100644 --- a/javascript/browser/security/insecure-innerhtml.yaml +++ b/javascript/browser/security/insecure-innerhtml.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - browser diff --git a/javascript/browser/security/insufficient-postmessage-origin-validation.yaml b/javascript/browser/security/insufficient-postmessage-origin-validation.yaml index 48869f0f31..80bd9a011a 100644 --- a/javascript/browser/security/insufficient-postmessage-origin-validation.yaml +++ b/javascript/browser/security/insufficient-postmessage-origin-validation.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' category: security diff --git a/javascript/browser/security/open-redirect-from-function.yaml b/javascript/browser/security/open-redirect-from-function.yaml index 4faaad1c5b..4c05aadcf3 100644 --- a/javascript/browser/security/open-redirect-from-function.yaml +++ b/javascript/browser/security/open-redirect-from-function.yaml @@ -12,6 +12,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect diff --git a/javascript/browser/security/open-redirect.yaml b/javascript/browser/security/open-redirect.yaml index bc994a24e9..902280285b 100644 --- a/javascript/browser/security/open-redirect.yaml +++ b/javascript/browser/security/open-redirect.yaml @@ -14,6 +14,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect diff --git a/javascript/browser/security/raw-html-concat.yaml b/javascript/browser/security/raw-html-concat.yaml index bf7bdfff4e..b7bdb57467 100644 --- a/javascript/browser/security/raw-html-concat.yaml +++ b/javascript/browser/security/raw-html-concat.yaml @@ -7,6 +7,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ category: security diff --git a/javascript/browser/security/raw-html-join.yaml b/javascript/browser/security/raw-html-join.yaml index 2a40a9d21f..c0d2c71d56 100644 --- a/javascript/browser/security/raw-html-join.yaml +++ b/javascript/browser/security/raw-html-join.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ category: security diff --git a/javascript/browser/security/wildcard-postmessage-configuration.yaml b/javascript/browser/security/wildcard-postmessage-configuration.yaml index 2ab0fe84d1..d52236bc33 100644 --- a/javascript/browser/security/wildcard-postmessage-configuration.yaml +++ b/javascript/browser/security/wildcard-postmessage-configuration.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' category: security diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-compilescript-injection.yaml b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-compilescript-injection.yaml index 4408863fd6..9555fbbcb9 100644 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-compilescript-injection.yaml +++ b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-compilescript-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/deno/security/audit/deno-dangerous-run.yaml b/javascript/deno/security/audit/deno-dangerous-run.yaml index 30d482d792..bb4700f3a8 100644 --- a/javascript/deno/security/audit/deno-dangerous-run.yaml +++ b/javascript/deno/security/audit/deno-dangerous-run.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - deno diff --git a/javascript/express/security/audit/express-check-csurf-middleware-usage.yaml b/javascript/express/security/audit/express-check-csurf-middleware-usage.yaml index 1bff227010..f913757d3d 100644 --- a/javascript/express/security/audit/express-check-csurf-middleware-usage.yaml +++ b/javascript/express/security/audit/express-check-csurf-middleware-usage.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - javascript - typescript diff --git a/javascript/express/security/audit/express-check-directory-listing.yaml b/javascript/express/security/audit/express-check-directory-listing.yaml index afc25b663e..d1933a4b48 100644 --- a/javascript/express/security/audit/express-check-directory-listing.yaml +++ b/javascript/express/security/audit/express-check-directory-listing.yaml @@ -12,6 +12,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - express diff --git a/javascript/express/security/audit/express-cookie-settings.yaml b/javascript/express/security/audit/express-cookie-settings.yaml index 2b146566d2..08921b2f99 100644 --- a/javascript/express/security/audit/express-cookie-settings.yaml +++ b/javascript/express/security/audit/express-cookie-settings.yaml @@ -12,6 +12,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: @@ -56,6 +57,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: @@ -118,6 +120,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: @@ -181,6 +184,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: @@ -243,6 +247,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: @@ -305,6 +310,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: diff --git a/javascript/express/security/audit/express-detect-notevil-usage.yaml b/javascript/express/security/audit/express-detect-notevil-usage.yaml index 64d7ae17c7..0b12e4cea3 100644 --- a/javascript/express/security/audit/express-detect-notevil-usage.yaml +++ b/javascript/express/security/audit/express-detect-notevil-usage.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-1104: Use of Unmaintained Third Party Components' owasp: - A06:2021 - Vulnerable and Outdated Components + - A03:2025 - Software Supply Chain Failures technology: - javascript - typescript diff --git a/javascript/express/security/audit/express-jwt-not-revoked.yaml b/javascript/express/security/audit/express-jwt-not-revoked.yaml index 32410a1d5e..09af091d74 100644 --- a/javascript/express/security/audit/express-jwt-not-revoked.yaml +++ b/javascript/express/security/audit/express-jwt-not-revoked.yaml @@ -10,6 +10,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md asvs: section: 'V3: Session Management Verification Requirements' diff --git a/javascript/express/security/audit/express-libxml-noent.yaml b/javascript/express/security/audit/express-libxml-noent.yaml index eba8054301..cce87112f5 100644 --- a/javascript/express/security/audit/express-libxml-noent.yaml +++ b/javascript/express/security/audit/express-libxml-noent.yaml @@ -19,6 +19,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/express/security/audit/express-libxml-vm-noent.yaml b/javascript/express/security/audit/express-libxml-vm-noent.yaml index 27b50f51f7..eeab0a7e6b 100644 --- a/javascript/express/security/audit/express-libxml-vm-noent.yaml +++ b/javascript/express/security/audit/express-libxml-vm-noent.yaml @@ -8,6 +8,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security diff --git a/javascript/express/security/audit/express-open-redirect.yaml b/javascript/express/security/audit/express-open-redirect.yaml index 5808a63036..f180f525ab 100644 --- a/javascript/express/security/audit/express-open-redirect.yaml +++ b/javascript/express/security/audit/express-open-redirect.yaml @@ -15,6 +15,7 @@ rules: category: security owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - vuln likelihood: HIGH diff --git a/javascript/express/security/audit/express-path-join-resolve-traversal.yaml b/javascript/express/security/audit/express-path-join-resolve-traversal.yaml index 2a97343032..1b3cc0efbd 100644 --- a/javascript/express/security/audit/express-path-join-resolve-traversal.yaml +++ b/javascript/express/security/audit/express-path-join-resolve-traversal.yaml @@ -7,6 +7,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" category: security diff --git a/javascript/express/security/audit/express-res-sendfile.yaml b/javascript/express/security/audit/express-res-sendfile.yaml index d6c0ccfba9..3a18ee100f 100644 --- a/javascript/express/security/audit/express-res-sendfile.yaml +++ b/javascript/express/security/audit/express-res-sendfile.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: HIGH diff --git a/javascript/express/security/audit/express-session-hardcoded-secret.yaml b/javascript/express/security/audit/express-session-hardcoded-secret.yaml index 42598cc565..bd8ae66701 100644 --- a/javascript/express/security/audit/express-session-hardcoded-secret.yaml +++ b/javascript/express/security/audit/express-session-hardcoded-secret.yaml @@ -16,6 +16,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - express diff --git a/javascript/express/security/audit/express-ssrf.yaml b/javascript/express/security/audit/express-ssrf.yaml index bdcb2b8f74..c6c2f961b6 100644 --- a/javascript/express/security/audit/express-ssrf.yaml +++ b/javascript/express/security/audit/express-ssrf.yaml @@ -17,6 +17,7 @@ rules: category: security owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/express/security/audit/express-third-party-object-deserialization.yaml b/javascript/express/security/audit/express-third-party-object-deserialization.yaml index 176bb06655..c111fb5880 100644 --- a/javascript/express/security/audit/express-third-party-object-deserialization.yaml +++ b/javascript/express/security/audit/express-third-party-object-deserialization.yaml @@ -19,6 +19,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/express/security/audit/express-xml2json-xxe-event.yaml b/javascript/express/security/audit/express-xml2json-xxe-event.yaml index c0e513da24..738def1254 100644 --- a/javascript/express/security/audit/express-xml2json-xxe-event.yaml +++ b/javascript/express/security/audit/express-xml2json-xxe-event.yaml @@ -8,6 +8,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security diff --git a/javascript/express/security/audit/possible-user-input-redirect.yaml b/javascript/express/security/audit/possible-user-input-redirect.yaml index 3a9f2d1f40..438dab41a7 100644 --- a/javascript/express/security/audit/possible-user-input-redirect.yaml +++ b/javascript/express/security/audit/possible-user-input-redirect.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" asvs: diff --git a/javascript/express/security/audit/remote-property-injection.yaml b/javascript/express/security/audit/remote-property-injection.yaml index 0dcc49c7b2..94d475c4ed 100644 --- a/javascript/express/security/audit/remote-property-injection.yaml +++ b/javascript/express/security/audit/remote-property-injection.yaml @@ -9,6 +9,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' category: security diff --git a/javascript/express/security/audit/res-render-injection.yaml b/javascript/express/security/audit/res-render-injection.yaml index 4f4f39be5d..ee26bcb3f8 100644 --- a/javascript/express/security/audit/res-render-injection.yaml +++ b/javascript/express/security/audit/res-render-injection.yaml @@ -12,6 +12,7 @@ rules: interfile: true owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' category: security diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml index 87dd91900e..0870f71a5a 100644 --- a/javascript/express/security/audit/xss/direct-response-write.yaml +++ b/javascript/express/security/audit/xss/direct-response-write.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' diff --git a/javascript/express/security/audit/xss/ejs/explicit-unescape.yaml b/javascript/express/security/audit/xss/ejs/explicit-unescape.yaml index 15c016fb45..172c76ac46 100644 --- a/javascript/express/security/audit/xss/ejs/explicit-unescape.yaml +++ b/javascript/express/security/audit/xss/ejs/explicit-unescape.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/ category: security diff --git a/javascript/express/security/audit/xss/ejs/var-in-href.yaml b/javascript/express/security/audit/xss/ejs/var-in-href.yaml index 7d4c2ad564..e4408b4b76 100644 --- a/javascript/express/security/audit/xss/ejs/var-in-href.yaml +++ b/javascript/express/security/audit/xss/ejs/var-in-href.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI - https://github.com/pugjs/pug/issues/2952 diff --git a/javascript/express/security/audit/xss/ejs/var-in-script-src.yaml b/javascript/express/security/audit/xss/ejs/var-in-script-src.yaml index 8d8b43239e..fbbfb3fca3 100644 --- a/javascript/express/security/audit/xss/ejs/var-in-script-src.yaml +++ b/javascript/express/security/audit/xss/ejs/var-in-script-src.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js diff --git a/javascript/express/security/audit/xss/ejs/var-in-script-tag.yaml b/javascript/express/security/audit/xss/ejs/var-in-script-tag.yaml index cc68ddeb74..747ca01865 100644 --- a/javascript/express/security/audit/xss/ejs/var-in-script-tag.yaml +++ b/javascript/express/security/audit/xss/ejs/var-in-script-tag.yaml @@ -15,6 +15,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js diff --git a/javascript/express/security/audit/xss/mustache/escape-function-overwrite.yaml b/javascript/express/security/audit/xss/mustache/escape-function-overwrite.yaml index 0f9b1fc456..3eb541fcf7 100644 --- a/javascript/express/security/audit/xss/mustache/escape-function-overwrite.yaml +++ b/javascript/express/security/audit/xss/mustache/escape-function-overwrite.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/janl/mustache.js/#variables category: security diff --git a/javascript/express/security/audit/xss/mustache/explicit-unescape.yaml b/javascript/express/security/audit/xss/mustache/explicit-unescape.yaml index 92cb4ad547..b76eeb115a 100644 --- a/javascript/express/security/audit/xss/mustache/explicit-unescape.yaml +++ b/javascript/express/security/audit/xss/mustache/explicit-unescape.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/janl/mustache.js/#variables - https://ractive.js.org/v0.x/0.7/mustaches#variables diff --git a/javascript/express/security/audit/xss/mustache/var-in-script-tag.yaml b/javascript/express/security/audit/xss/mustache/var-in-script-tag.yaml index 24c2bd21b1..0e3da7ecda 100644 --- a/javascript/express/security/audit/xss/mustache/var-in-script-tag.yaml +++ b/javascript/express/security/audit/xss/mustache/var-in-script-tag.yaml @@ -15,6 +15,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js diff --git a/javascript/express/security/audit/xss/pug/and-attributes.yaml b/javascript/express/security/audit/xss/pug/and-attributes.yaml index 926e211bd2..0bf988cd7e 100644 --- a/javascript/express/security/audit/xss/pug/and-attributes.yaml +++ b/javascript/express/security/audit/xss/pug/and-attributes.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://pugjs.org/language/attributes.html#attributes category: security diff --git a/javascript/express/security/audit/xss/pug/explicit-unescape.yaml b/javascript/express/security/audit/xss/pug/explicit-unescape.yaml index b2a29670d1..99b16f7b54 100644 --- a/javascript/express/security/audit/xss/pug/explicit-unescape.yaml +++ b/javascript/express/security/audit/xss/pug/explicit-unescape.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://pugjs.org/language/code.html#unescaped-buffered-code - https://pugjs.org/language/attributes.html#unescaped-attributes diff --git a/javascript/express/security/audit/xss/pug/var-in-href.yaml b/javascript/express/security/audit/xss/pug/var-in-href.yaml index 587b3912ed..3dda2cc814 100644 --- a/javascript/express/security/audit/xss/pug/var-in-href.yaml +++ b/javascript/express/security/audit/xss/pug/var-in-href.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/pugjs/pug/issues/2952 - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI diff --git a/javascript/express/security/audit/xss/pug/var-in-script-tag.yaml b/javascript/express/security/audit/xss/pug/var-in-script-tag.yaml index 3cbf33fd2d..aaacdeee35 100644 --- a/javascript/express/security/audit/xss/pug/var-in-script-tag.yaml +++ b/javascript/express/security/audit/xss/pug/var-in-script-tag.yaml @@ -15,6 +15,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js diff --git a/javascript/express/security/cors-misconfiguration.yaml b/javascript/express/security/cors-misconfiguration.yaml index 318e1881a1..5f2e2a9b0a 100644 --- a/javascript/express/security/cors-misconfiguration.yaml +++ b/javascript/express/security/cors-misconfiguration.yaml @@ -7,6 +7,7 @@ rules: metadata: owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security diff --git a/javascript/express/security/express-data-exfiltration.yaml b/javascript/express/security/express-data-exfiltration.yaml index 18bb8d2fb3..e32fdd38ad 100644 --- a/javascript/express/security/express-data-exfiltration.yaml +++ b/javascript/express/security/express-data-exfiltration.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: diff --git a/javascript/express/security/express-expat-xxe.yaml b/javascript/express/security/express-expat-xxe.yaml index 1b0eb43b72..5b3633c284 100644 --- a/javascript/express/security/express-expat-xxe.yaml +++ b/javascript/express/security/express-expat-xxe.yaml @@ -11,6 +11,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: diff --git a/javascript/express/security/express-insecure-template-usage.yaml b/javascript/express/security/express-insecure-template-usage.yaml index 0512c2380f..b80f145394 100644 --- a/javascript/express/security/express-insecure-template-usage.yaml +++ b/javascript/express/security/express-insecure-template-usage.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2021 - Injection - A01:2017 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html technology: diff --git a/javascript/express/security/express-jwt-hardcoded-secret.yaml b/javascript/express/security/express-jwt-hardcoded-secret.yaml index e958dd1080..bc73d1450f 100644 --- a/javascript/express/security/express-jwt-hardcoded-secret.yaml +++ b/javascript/express/security/express-jwt-hardcoded-secret.yaml @@ -16,6 +16,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - express diff --git a/javascript/express/security/express-phantom-injection.yaml b/javascript/express/security/express-phantom-injection.yaml index cf4271b217..2765d873e4 100644 --- a/javascript/express/security/express-phantom-injection.yaml +++ b/javascript/express/security/express-phantom-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/express/security/express-puppeteer-injection.yaml b/javascript/express/security/express-puppeteer-injection.yaml index 519464f248..352dc4c9df 100644 --- a/javascript/express/security/express-puppeteer-injection.yaml +++ b/javascript/express/security/express-puppeteer-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/express/security/express-sandbox-injection.yaml b/javascript/express/security/express-sandbox-injection.yaml index 194bbcea80..b229453114 100644 --- a/javascript/express/security/express-sandbox-injection.yaml +++ b/javascript/express/security/express-sandbox-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: diff --git a/javascript/express/security/express-vm-injection.yaml b/javascript/express/security/express-vm-injection.yaml index 243c4eb6d0..e9fda207e9 100644 --- a/javascript/express/security/express-vm-injection.yaml +++ b/javascript/express/security/express-vm-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: diff --git a/javascript/express/security/express-vm2-injection.yaml b/javascript/express/security/express-vm2-injection.yaml index cc5080fa56..2d925aefc7 100644 --- a/javascript/express/security/express-vm2-injection.yaml +++ b/javascript/express/security/express-vm2-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: diff --git a/javascript/express/security/express-wkhtml-injection.yaml b/javascript/express/security/express-wkhtml-injection.yaml index aba98fd1f2..d0a7fd6a22 100644 --- a/javascript/express/security/express-wkhtml-injection.yaml +++ b/javascript/express/security/express-wkhtml-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security @@ -65,6 +66,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/express/security/express-xml2json-xxe.yaml b/javascript/express/security/express-xml2json-xxe.yaml index e494d7dcc0..cfe323b9d0 100644 --- a/javascript/express/security/express-xml2json-xxe.yaml +++ b/javascript/express/security/express-xml2json-xxe.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: diff --git a/javascript/express/security/injection/raw-html-format.yaml b/javascript/express/security/injection/raw-html-format.yaml index 16aab225aa..a211f61feb 100644 --- a/javascript/express/security/injection/raw-html-format.yaml +++ b/javascript/express/security/injection/raw-html-format.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html category: security diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml index 391cb3c385..e7c79ba8af 100644 --- a/javascript/express/security/injection/tainted-sql-string.yaml +++ b/javascript/express/security/injection/tainted-sql-string.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" references: diff --git a/javascript/express/security/require-request.yaml b/javascript/express/security/require-request.yaml index 780b42bfcf..310a669e88 100644 --- a/javascript/express/security/require-request.yaml +++ b/javascript/express/security/require-request.yaml @@ -9,6 +9,7 @@ rules: interfile: true owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html diff --git a/javascript/express/security/x-frame-options-misconfiguration.yaml b/javascript/express/security/x-frame-options-misconfiguration.yaml index 5f246b1acf..f1de2c10e7 100644 --- a/javascript/express/security/x-frame-options-misconfiguration.yaml +++ b/javascript/express/security/x-frame-options-misconfiguration.yaml @@ -10,6 +10,7 @@ rules: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-451: User Interface (UI) Misrepresentation of Critical Information' category: security diff --git a/javascript/fbjs/security/audit/insecure-createnodesfrommarkup.yaml b/javascript/fbjs/security/audit/insecure-createnodesfrommarkup.yaml index 12fd2136a0..6fc30aa679 100644 --- a/javascript/fbjs/security/audit/insecure-createnodesfrommarkup.yaml +++ b/javascript/fbjs/security/audit/insecure-createnodesfrommarkup.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - fbjs diff --git a/javascript/grpc/security/grpc-nodejs-insecure-connection.yaml b/javascript/grpc/security/grpc-nodejs-insecure-connection.yaml index d8a652992b..2417297213 100644 --- a/javascript/grpc/security/grpc-nodejs-insecure-connection.yaml +++ b/javascript/grpc/security/grpc-nodejs-insecure-connection.yaml @@ -7,6 +7,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' category: security diff --git a/javascript/jose/security/audit/jose-exposed-data.yaml b/javascript/jose/security/audit/jose-exposed-data.yaml index 1b34aae938..14e91b7512 100644 --- a/javascript/jose/security/audit/jose-exposed-data.yaml +++ b/javascript/jose/security/audit/jose-exposed-data.yaml @@ -7,6 +7,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ diff --git a/javascript/jose/security/jwt-hardcode.yaml b/javascript/jose/security/jwt-hardcode.yaml index 1a481cb9d8..74f6f8c448 100644 --- a/javascript/jose/security/jwt-hardcode.yaml +++ b/javascript/jose/security/jwt-hardcode.yaml @@ -14,6 +14,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.2 Static API keys or secret diff --git a/javascript/jose/security/jwt-none-alg.yaml b/javascript/jose/security/jwt-none-alg.yaml index 7004121bc8..94d5dd67a1 100644 --- a/javascript/jose/security/jwt-none-alg.yaml +++ b/javascript/jose/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' diff --git a/javascript/jquery/security/audit/jquery-insecure-method.yaml b/javascript/jquery/security/audit/jquery-insecure-method.yaml index bb33bb4d19..10a21b1797 100644 --- a/javascript/jquery/security/audit/jquery-insecure-method.yaml +++ b/javascript/jquery/security/audit/jquery-insecure-method.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ - https://bugs.jquery.com/ticket/9521 diff --git a/javascript/jquery/security/audit/jquery-insecure-selector.yaml b/javascript/jquery/security/audit/jquery-insecure-selector.yaml index 424a344fb9..4f0dec8f85 100644 --- a/javascript/jquery/security/audit/jquery-insecure-selector.yaml +++ b/javascript/jquery/security/audit/jquery-insecure-selector.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ - https://bugs.jquery.com/ticket/9521 diff --git a/javascript/jquery/security/audit/prohibit-jquery-html.yaml b/javascript/jquery/security/audit/prohibit-jquery-html.yaml index 298d364789..8cc0016285 100644 --- a/javascript/jquery/security/audit/prohibit-jquery-html.yaml +++ b/javascript/jquery/security/audit/prohibit-jquery-html.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.yaml b/javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.yaml index 74b8671dc2..8bc510f793 100644 --- a/javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.yaml +++ b/javascript/jsonwebtoken/security/audit/jwt-decode-without-verify.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' diff --git a/javascript/jsonwebtoken/security/audit/jwt-exposed-data.yaml b/javascript/jsonwebtoken/security/audit/jwt-exposed-data.yaml index 30edfa93f2..be33b998c3 100644 --- a/javascript/jsonwebtoken/security/audit/jwt-exposed-data.yaml +++ b/javascript/jsonwebtoken/security/audit/jwt-exposed-data.yaml @@ -7,6 +7,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ diff --git a/javascript/jsonwebtoken/security/jwt-hardcode.yaml b/javascript/jsonwebtoken/security/jwt-hardcode.yaml index 8cc11871e5..9af713f704 100644 --- a/javascript/jsonwebtoken/security/jwt-hardcode.yaml +++ b/javascript/jsonwebtoken/security/jwt-hardcode.yaml @@ -13,6 +13,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.2 Static API keys or secret diff --git a/javascript/jsonwebtoken/security/jwt-none-alg.yaml b/javascript/jsonwebtoken/security/jwt-none-alg.yaml index 2053358c75..c25daeaea0 100644 --- a/javascript/jsonwebtoken/security/jwt-none-alg.yaml +++ b/javascript/jsonwebtoken/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' diff --git a/javascript/jwt-simple/security/jwt-simple-noverify.yaml b/javascript/jwt-simple/security/jwt-simple-noverify.yaml index 55b5164288..af007f4159 100644 --- a/javascript/jwt-simple/security/jwt-simple-noverify.yaml +++ b/javascript/jwt-simple/security/jwt-simple-noverify.yaml @@ -10,6 +10,8 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A07:2021 - Identification and Authentication Failures + - A02:2025 - Security Misconfiguration + - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' - 'CWE-345: Insufficient Verification of Data Authenticity' diff --git a/javascript/lang/security/audit/code-string-concat.yaml b/javascript/lang/security/audit/code-string-concat.yaml index 0f356c22bd..f89f567f89 100644 --- a/javascript/lang/security/audit/code-string-concat.yaml +++ b/javascript/lang/security/audit/code-string-concat.yaml @@ -11,6 +11,7 @@ rules: confidence: HIGH owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" references: diff --git a/javascript/lang/security/audit/dangerous-spawn-shell.yaml b/javascript/lang/security/audit/dangerous-spawn-shell.yaml index c058fc752d..a938e10411 100644 --- a/javascript/lang/security/audit/dangerous-spawn-shell.yaml +++ b/javascript/lang/security/audit/dangerous-spawn-shell.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js category: security technology: diff --git a/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml b/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml index 7f5c86f424..e645550a55 100644 --- a/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml +++ b/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml @@ -12,6 +12,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-fs-filename.js category: security technology: diff --git a/javascript/lang/security/audit/detect-non-literal-regexp.yaml b/javascript/lang/security/audit/detect-non-literal-regexp.yaml index a36572b321..cd683f0681 100644 --- a/javascript/lang/security/audit/detect-non-literal-regexp.yaml +++ b/javascript/lang/security/audit/detect-non-literal-regexp.yaml @@ -10,6 +10,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - "CWE-1333: Inefficient Regular Expression Complexity" references: diff --git a/javascript/lang/security/audit/detect-non-literal-require.yaml b/javascript/lang/security/audit/detect-non-literal-require.yaml index db73077790..5e90fea2fa 100644 --- a/javascript/lang/security/audit/detect-non-literal-require.yaml +++ b/javascript/lang/security/audit/detect-non-literal-require.yaml @@ -9,6 +9,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js references: - https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js diff --git a/javascript/lang/security/audit/detect-redos.yaml b/javascript/lang/security/audit/detect-redos.yaml index 6237b3998c..3d107dd6f8 100644 --- a/javascript/lang/security/audit/detect-redos.yaml +++ b/javascript/lang/security/audit/detect-redos.yaml @@ -6,6 +6,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - "CWE-1333: Inefficient Regular Expression Complexity" references: diff --git a/javascript/lang/security/audit/hardcoded-hmac-key.yaml b/javascript/lang/security/audit/hardcoded-hmac-key.yaml index fe5de29d09..a4e16dbbed 100644 --- a/javascript/lang/security/audit/hardcoded-hmac-key.yaml +++ b/javascript/lang/security/audit/hardcoded-hmac-key.yaml @@ -16,6 +16,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2022-top25: true diff --git a/javascript/lang/security/audit/incomplete-sanitization.yaml b/javascript/lang/security/audit/incomplete-sanitization.yaml index b776bc0034..58b2fd96c0 100644 --- a/javascript/lang/security/audit/incomplete-sanitization.yaml +++ b/javascript/lang/security/audit/incomplete-sanitization.yaml @@ -12,6 +12,7 @@ rules: - javascript owasp: - A03:2021 - Injection + - A05:2025 - Injection subcategory: - audit likelihood: LOW diff --git a/javascript/lang/security/audit/md5-used-as-password.yaml b/javascript/lang/security/audit/md5-used-as-password.yaml index 2318294696..ab99b77d9d 100644 --- a/javascript/lang/security/audit/md5-used-as-password.yaml +++ b/javascript/lang/security/audit/md5-used-as-password.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' subcategory: diff --git a/javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.yaml b/javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.yaml index 1753fe36ab..66700dc30e 100644 --- a/javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.yaml +++ b/javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.yaml @@ -9,6 +9,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" category: security diff --git a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-assignment.yaml b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-assignment.yaml index bc616e3701..dd807bd0eb 100644 --- a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-assignment.yaml +++ b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-assignment.yaml @@ -17,6 +17,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures category: security references: - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf diff --git a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-loop.yaml b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-loop.yaml index 39298fc111..a0a53db7b1 100644 --- a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-loop.yaml +++ b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-loop.yaml @@ -22,6 +22,7 @@ rules: - typescript owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW diff --git a/javascript/lang/security/audit/spawn-shell-true.yaml b/javascript/lang/security/audit/spawn-shell-true.yaml index 0d38f3c34a..daf00f20df 100644 --- a/javascript/lang/security/audit/spawn-shell-true.yaml +++ b/javascript/lang/security/audit/spawn-shell-true.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" category: security diff --git a/javascript/lang/security/audit/sqli/node-knex-sqli.yaml b/javascript/lang/security/audit/sqli/node-knex-sqli.yaml index 130a6adbee..cdc54dcc6f 100644 --- a/javascript/lang/security/audit/sqli/node-knex-sqli.yaml +++ b/javascript/lang/security/audit/sqli/node-knex-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml b/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml index 61092aee58..638b215c09 100644 --- a/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml +++ b/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" category: security diff --git a/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml b/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml index 876a6740c2..d9e5dd1952 100644 --- a/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml +++ b/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" confidence: LOW diff --git a/javascript/lang/security/audit/sqli/node-postgres-sqli.yaml b/javascript/lang/security/audit/sqli/node-postgres-sqli.yaml index 581d0c3260..548fa4da25 100644 --- a/javascript/lang/security/audit/sqli/node-postgres-sqli.yaml +++ b/javascript/lang/security/audit/sqli/node-postgres-sqli.yaml @@ -10,6 +10,7 @@ rules: metadata: owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: diff --git a/javascript/lang/security/audit/unknown-value-with-script-tag.yaml b/javascript/lang/security/audit/unknown-value-with-script-tag.yaml index affb350c5e..c013859714 100644 --- a/javascript/lang/security/audit/unknown-value-with-script-tag.yaml +++ b/javascript/lang/security/audit/unknown-value-with-script-tag.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/javascript/lang/security/audit/unsafe-dynamic-method.yaml b/javascript/lang/security/audit/unsafe-dynamic-method.yaml index 07fd4e23af..52d90b6d8e 100644 --- a/javascript/lang/security/audit/unsafe-dynamic-method.yaml +++ b/javascript/lang/security/audit/unsafe-dynamic-method.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/lang/security/audit/unsafe-formatstring.yaml b/javascript/lang/security/audit/unsafe-formatstring.yaml index b920e2cbef..b96b01824b 100644 --- a/javascript/lang/security/audit/unsafe-formatstring.yaml +++ b/javascript/lang/security/audit/unsafe-formatstring.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-134: Use of Externally-Controlled Format String' owasp: - "A01:2021 - Broken Access Control" + - A01:2025 - Broken Access Control category: security technology: - javascript diff --git a/javascript/lang/security/detect-child-process.yaml b/javascript/lang/security/detect-child-process.yaml index 4f9f6dccea..e35bcc1f2f 100644 --- a/javascript/lang/security/detect-child-process.yaml +++ b/javascript/lang/security/detect-child-process.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js diff --git a/javascript/lang/security/detect-disable-mustache-escape.yaml b/javascript/lang/security/detect-disable-mustache-escape.yaml index fff111f2b5..302d8011fb 100644 --- a/javascript/lang/security/detect-disable-mustache-escape.yaml +++ b/javascript/lang/security/detect-disable-mustache-escape.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js category: security technology: diff --git a/javascript/lang/security/detect-eval-with-expression.yaml b/javascript/lang/security/detect-eval-with-expression.yaml index f8a81f96ce..ac58700b37 100644 --- a/javascript/lang/security/detect-eval-with-expression.yaml +++ b/javascript/lang/security/detect-eval-with-expression.yaml @@ -9,6 +9,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js references: - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval! diff --git a/javascript/lang/security/detect-insecure-websocket.yaml b/javascript/lang/security/detect-insecure-websocket.yaml index 40eedf45f6..186e2a2236 100644 --- a/javascript/lang/security/detect-insecure-websocket.yaml +++ b/javascript/lang/security/detect-insecure-websocket.yaml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/javascript/lang/security/detect-no-csrf-before-method-override.yaml b/javascript/lang/security/detect-no-csrf-before-method-override.yaml index 66dc5c4a82..27c6193f6e 100644 --- a/javascript/lang/security/detect-no-csrf-before-method-override.yaml +++ b/javascript/lang/security/detect-no-csrf-before-method-override.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2021 - Broken Access Control - A05:2017 - Broken Access Control + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/lang/security/detect-pseudoRandomBytes.yaml b/javascript/lang/security/detect-pseudoRandomBytes.yaml index f598437f91..9c9e8ac975 100644 --- a/javascript/lang/security/detect-pseudoRandomBytes.yaml +++ b/javascript/lang/security/detect-pseudoRandomBytes.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js asvs: section: 'V6: Stored Cryptography Verification Requirements' diff --git a/javascript/lang/security/html-in-template-string.yaml b/javascript/lang/security/html-in-template-string.yaml index 96347a0cbf..130f2d75e9 100644 --- a/javascript/lang/security/html-in-template-string.yaml +++ b/javascript/lang/security/html-in-template-string.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - javascript diff --git a/javascript/lang/security/insecure-object-assign.yaml b/javascript/lang/security/insecure-object-assign.yaml index 8660247e7e..0265811c31 100644 --- a/javascript/lang/security/insecure-object-assign.yaml +++ b/javascript/lang/security/insecure-object-assign.yaml @@ -8,6 +8,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html - https://en.wikipedia.org/wiki/Mass_assignment_vulnerability diff --git a/javascript/lang/security/spawn-git-clone.yaml b/javascript/lang/security/spawn-git-clone.yaml index 2150c30c4c..62e6c755c8 100644 --- a/javascript/lang/security/spawn-git-clone.yaml +++ b/javascript/lang/security/spawn-git-clone.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - git diff --git a/javascript/monaco-editor/security/audit/monaco-hover-htmlsupport.yaml b/javascript/monaco-editor/security/audit/monaco-hover-htmlsupport.yaml index b06767fb22..ab93f6519a 100644 --- a/javascript/monaco-editor/security/audit/monaco-hover-htmlsupport.yaml +++ b/javascript/monaco-editor/security/audit/monaco-hover-htmlsupport.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/microsoft/monaco-editor/issues/801 category: security diff --git a/javascript/node-crypto/security/aead-no-final.yaml b/javascript/node-crypto/security/aead-no-final.yaml index c347553ccc..759e293ce6 100644 --- a/javascript/node-crypto/security/aead-no-final.yaml +++ b/javascript/node-crypto/security/aead-no-final.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security subcategory: - vuln diff --git a/javascript/node-crypto/security/gcm-no-tag-length.yaml b/javascript/node-crypto/security/gcm-no-tag-length.yaml index 0cfc9bb411..ae6f7bddfa 100644 --- a/javascript/node-crypto/security/gcm-no-tag-length.yaml +++ b/javascript/node-crypto/security/gcm-no-tag-length.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security subcategory: - vuln diff --git a/javascript/node-expat/security/audit/expat-xxe.yaml b/javascript/node-expat/security/audit/expat-xxe.yaml index 71525923b9..628250ca14 100644 --- a/javascript/node-expat/security/audit/expat-xxe.yaml +++ b/javascript/node-expat/security/audit/expat-xxe.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security diff --git a/javascript/passport-jwt/security/passport-hardcode.yaml b/javascript/passport-jwt/security/passport-hardcode.yaml index 8d3eafdb96..e11c714c1e 100644 --- a/javascript/passport-jwt/security/passport-hardcode.yaml +++ b/javascript/passport-jwt/security/passport-hardcode.yaml @@ -13,6 +13,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.2 Static API keys or secret diff --git a/javascript/phantom/security/audit/phantom-injection.yaml b/javascript/phantom/security/audit/phantom-injection.yaml index 795790659d..1376adc305 100644 --- a/javascript/phantom/security/audit/phantom-injection.yaml +++ b/javascript/phantom/security/audit/phantom-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/playwright/security/audit/playwright-addinitscript-code-injection.yaml b/javascript/playwright/security/audit/playwright-addinitscript-code-injection.yaml index 971776e9e6..58f2e997c7 100644 --- a/javascript/playwright/security/audit/playwright-addinitscript-code-injection.yaml +++ b/javascript/playwright/security/audit/playwright-addinitscript-code-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/playwright/security/audit/playwright-evaluate-arg-injection.yaml b/javascript/playwright/security/audit/playwright-evaluate-arg-injection.yaml index 991656d513..976f18c4af 100644 --- a/javascript/playwright/security/audit/playwright-evaluate-arg-injection.yaml +++ b/javascript/playwright/security/audit/playwright-evaluate-arg-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/playwright/security/audit/playwright-evaluate-code-injection.yaml b/javascript/playwright/security/audit/playwright-evaluate-code-injection.yaml index dd758bd59c..94b2f0bb82 100644 --- a/javascript/playwright/security/audit/playwright-evaluate-code-injection.yaml +++ b/javascript/playwright/security/audit/playwright-evaluate-code-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/playwright/security/audit/playwright-exposed-chrome-devtools.yaml b/javascript/playwright/security/audit/playwright-exposed-chrome-devtools.yaml index 5309743b30..4cacdd556c 100644 --- a/javascript/playwright/security/audit/playwright-exposed-chrome-devtools.yaml +++ b/javascript/playwright/security/audit/playwright-exposed-chrome-devtools.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/playwright/security/audit/playwright-goto-injection.yaml b/javascript/playwright/security/audit/playwright-goto-injection.yaml index 70ccb6ae69..580d6a566d 100644 --- a/javascript/playwright/security/audit/playwright-goto-injection.yaml +++ b/javascript/playwright/security/audit/playwright-goto-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/playwright/security/audit/playwright-setcontent-injection.yaml b/javascript/playwright/security/audit/playwright-setcontent-injection.yaml index 3b6d6b06c8..3259007c5f 100644 --- a/javascript/playwright/security/audit/playwright-setcontent-injection.yaml +++ b/javascript/playwright/security/audit/playwright-setcontent-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/puppeteer/security/audit/puppeteer-evaluate-arg-injection.yaml b/javascript/puppeteer/security/audit/puppeteer-evaluate-arg-injection.yaml index 5ac17d6678..066a468e7c 100644 --- a/javascript/puppeteer/security/audit/puppeteer-evaluate-arg-injection.yaml +++ b/javascript/puppeteer/security/audit/puppeteer-evaluate-arg-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.yaml b/javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.yaml index ab2b3798e1..34974a748c 100644 --- a/javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.yaml +++ b/javascript/puppeteer/security/audit/puppeteer-evaluate-code-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/puppeteer/security/audit/puppeteer-exposed-chrome-devtools.yaml b/javascript/puppeteer/security/audit/puppeteer-exposed-chrome-devtools.yaml index a9dd33c18f..f41c9dfa61 100644 --- a/javascript/puppeteer/security/audit/puppeteer-exposed-chrome-devtools.yaml +++ b/javascript/puppeteer/security/audit/puppeteer-exposed-chrome-devtools.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/puppeteer/security/audit/puppeteer-goto-injection.yaml b/javascript/puppeteer/security/audit/puppeteer-goto-injection.yaml index fe9fe804bf..1b0ea17f73 100644 --- a/javascript/puppeteer/security/audit/puppeteer-goto-injection.yaml +++ b/javascript/puppeteer/security/audit/puppeteer-goto-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/puppeteer/security/audit/puppeteer-setcontent-injection.yaml b/javascript/puppeteer/security/audit/puppeteer-setcontent-injection.yaml index 5bdc0d7e54..6a12585d5c 100644 --- a/javascript/puppeteer/security/audit/puppeteer-setcontent-injection.yaml +++ b/javascript/puppeteer/security/audit/puppeteer-setcontent-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/sandbox/security/audit/sandbox-code-injection.yaml b/javascript/sandbox/security/audit/sandbox-code-injection.yaml index 7d61f8b4c2..47f343beb8 100644 --- a/javascript/sandbox/security/audit/sandbox-code-injection.yaml +++ b/javascript/sandbox/security/audit/sandbox-code-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/sax/security/audit/sax-xxe.yaml b/javascript/sax/security/audit/sax-xxe.yaml index 10bc15124a..78279edd3d 100644 --- a/javascript/sax/security/audit/sax-xxe.yaml +++ b/javascript/sax/security/audit/sax-xxe.yaml @@ -10,6 +10,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' references: diff --git a/javascript/sequelize/security/audit/sequelize-enforce-tls.yaml b/javascript/sequelize/security/audit/sequelize-enforce-tls.yaml index f3507700bc..9096532781 100644 --- a/javascript/sequelize/security/audit/sequelize-enforce-tls.yaml +++ b/javascript/sequelize/security/audit/sequelize-enforce-tls.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://node-postgres.com/features/ssl - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket diff --git a/javascript/sequelize/security/audit/sequelize-injection-express.yaml b/javascript/sequelize/security/audit/sequelize-injection-express.yaml index cbfc06754e..1244352c34 100644 --- a/javascript/sequelize/security/audit/sequelize-injection-express.yaml +++ b/javascript/sequelize/security/audit/sequelize-injection-express.yaml @@ -20,6 +20,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/sequelize/security/audit/sequelize-raw-query.yaml b/javascript/sequelize/security/audit/sequelize-raw-query.yaml index 176dfe59a3..51926c6ede 100644 --- a/javascript/sequelize/security/audit/sequelize-raw-query.yaml +++ b/javascript/sequelize/security/audit/sequelize-raw-query.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://sequelize.org/master/manual/raw-queries.html cwe2022-top25: true diff --git a/javascript/sequelize/security/audit/sequelize-tls-disabled-cert-validation.yaml b/javascript/sequelize/security/audit/sequelize-tls-disabled-cert-validation.yaml index 0760d5623d..be6383a633 100644 --- a/javascript/sequelize/security/audit/sequelize-tls-disabled-cert-validation.yaml +++ b/javascript/sequelize/security/audit/sequelize-tls-disabled-cert-validation.yaml @@ -17,6 +17,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://node-postgres.com/features/ssl - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket diff --git a/javascript/sequelize/security/audit/sequelize-weak-tls-version.yaml b/javascript/sequelize/security/audit/sequelize-weak-tls-version.yaml index 66a3544964..22bfa54f11 100644 --- a/javascript/sequelize/security/audit/sequelize-weak-tls-version.yaml +++ b/javascript/sequelize/security/audit/sequelize-weak-tls-version.yaml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://node-postgres.com/features/ssl - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket diff --git a/javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml b/javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml index af225b2336..de9574c429 100644 --- a/javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml +++ b/javascript/serialize-javascript/security/audit/unsafe-serialize-javascript.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - 'CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)' category: security diff --git a/javascript/shelljs/security/shelljs-exec-injection.yaml b/javascript/shelljs/security/shelljs-exec-injection.yaml index f9e63853ba..78aea59b98 100644 --- a/javascript/shelljs/security/shelljs-exec-injection.yaml +++ b/javascript/shelljs/security/shelljs-exec-injection.yaml @@ -6,6 +6,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" category: security diff --git a/javascript/thenify/security/audit/multiargs-code-execution.yaml b/javascript/thenify/security/audit/multiargs-code-execution.yaml index 95a27cb9ca..88f61e8ad3 100644 --- a/javascript/thenify/security/audit/multiargs-code-execution.yaml +++ b/javascript/thenify/security/audit/multiargs-code-execution.yaml @@ -7,6 +7,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - thenify diff --git a/javascript/vm2/security/audit/vm2-code-injection.yaml b/javascript/vm2/security/audit/vm2-code-injection.yaml index b4d4700522..1e639eb347 100644 --- a/javascript/vm2/security/audit/vm2-code-injection.yaml +++ b/javascript/vm2/security/audit/vm2-code-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/vm2/security/audit/vm2-context-injection.yaml b/javascript/vm2/security/audit/vm2-context-injection.yaml index f14d17f45e..a501f6d8c8 100644 --- a/javascript/vm2/security/audit/vm2-context-injection.yaml +++ b/javascript/vm2/security/audit/vm2-context-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" category: security diff --git a/javascript/vue/security/audit/xss/templates/avoid-v-html.yaml b/javascript/vue/security/audit/xss/templates/avoid-v-html.yaml index c017aecccb..3f2276571e 100644 --- a/javascript/vue/security/audit/xss/templates/avoid-v-html.yaml +++ b/javascript/vue/security/audit/xss/templates/avoid-v-html.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/javascript/wkhtmltoimage/security/audit/wkhtmltoimage-injection.yaml b/javascript/wkhtmltoimage/security/audit/wkhtmltoimage-injection.yaml index b7e3e82ce7..cb49a44d7c 100644 --- a/javascript/wkhtmltoimage/security/audit/wkhtmltoimage-injection.yaml +++ b/javascript/wkhtmltoimage/security/audit/wkhtmltoimage-injection.yaml @@ -6,6 +6,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/wkhtmltopdf/security/audit/wkhtmltopdf-injection.yaml b/javascript/wkhtmltopdf/security/audit/wkhtmltopdf-injection.yaml index 0cb975a752..f0d0595453 100644 --- a/javascript/wkhtmltopdf/security/audit/wkhtmltopdf-injection.yaml +++ b/javascript/wkhtmltopdf/security/audit/wkhtmltopdf-injection.yaml @@ -5,6 +5,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security diff --git a/javascript/xml2json/security/audit/xml2json-xxe.yaml b/javascript/xml2json/security/audit/xml2json-xxe.yaml index cad4ec8d8f..c8fe2f0c67 100644 --- a/javascript/xml2json/security/audit/xml2json-xxe.yaml +++ b/javascript/xml2json/security/audit/xml2json-xxe.yaml @@ -7,6 +7,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: diff --git a/json/aws/security/public-s3-bucket.yaml b/json/aws/security/public-s3-bucket.yaml index c2093376ba..c7eb54ee4f 100644 --- a/json/aws/security/public-s3-bucket.yaml +++ b/json/aws/security/public-s3-bucket.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html technology: diff --git a/json/aws/security/public-s3-policy-statement.yaml b/json/aws/security/public-s3-policy-statement.yaml index ffa23773ea..042a639e6f 100644 --- a/json/aws/security/public-s3-policy-statement.yaml +++ b/json/aws/security/public-s3-policy-statement.yaml @@ -16,6 +16,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls' references: diff --git a/json/aws/security/wildcard-assume-role.yaml b/json/aws/security/wildcard-assume-role.yaml index 08d13f0fa3..bffc5abb18 100644 --- a/json/aws/security/wildcard-assume-role.yaml +++ b/json/aws/security/wildcard-assume-role.yaml @@ -22,6 +22,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - vuln likelihood: HIGH diff --git a/kotlin/gradle/security/build-gradle-password-hardcoded.yaml b/kotlin/gradle/security/build-gradle-password-hardcoded.yaml index 2776569e27..928a385e8d 100644 --- a/kotlin/gradle/security/build-gradle-password-hardcoded.yaml +++ b/kotlin/gradle/security/build-gradle-password-hardcoded.yaml @@ -21,6 +21,7 @@ rules: cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures technology: diff --git a/kotlin/lang/security/anonymous-ldap-bind.yaml b/kotlin/lang/security/anonymous-ldap-bind.yaml index 1b7274de32..6db654063b 100644 --- a/kotlin/lang/security/anonymous-ldap-bind.yaml +++ b/kotlin/lang/security/anonymous-ldap-bind.yaml @@ -6,6 +6,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS category: security technology: diff --git a/kotlin/lang/security/command-injection-formatted-runtime-call.yaml b/kotlin/lang/security/command-injection-formatted-runtime-call.yaml index 7b6f1c0b57..235a2b23eb 100644 --- a/kotlin/lang/security/command-injection-formatted-runtime-call.yaml +++ b/kotlin/lang/security/command-injection-formatted-runtime-call.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. category: security technology: diff --git a/kotlin/lang/security/cookie-missing-httponly.yaml b/kotlin/lang/security/cookie-missing-httponly.yaml index 6265ff69f6..7576f6f1bd 100644 --- a/kotlin/lang/security/cookie-missing-httponly.yaml +++ b/kotlin/lang/security/cookie-missing-httponly.yaml @@ -5,6 +5,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE category: security technology: diff --git a/kotlin/lang/security/cookie-missing-secure-flag.yaml b/kotlin/lang/security/cookie-missing-secure-flag.yaml index 1568687593..d34de36de0 100644 --- a/kotlin/lang/security/cookie-missing-secure-flag.yaml +++ b/kotlin/lang/security/cookie-missing-secure-flag.yaml @@ -5,6 +5,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE category: security technology: diff --git a/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml b/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml index 13d3ae5d88..dc90e1435c 100644 --- a/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml +++ b/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT asvs: section: V9 Communications Verification Requirements diff --git a/kotlin/lang/security/ecb-cipher.yaml b/kotlin/lang/security/ecb-cipher.yaml index 768852f84b..a24275a229 100644 --- a/kotlin/lang/security/ecb-cipher.yaml +++ b/kotlin/lang/security/ecb-cipher.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE category: security technology: diff --git a/kotlin/lang/security/gcm-detection.yaml b/kotlin/lang/security/gcm-detection.yaml index 947774777a..a74e149166 100644 --- a/kotlin/lang/security/gcm-detection.yaml +++ b/kotlin/lang/security/gcm-detection.yaml @@ -10,6 +10,7 @@ rules: - kotlin owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/kotlin/lang/security/no-null-cipher.yaml b/kotlin/lang/security/no-null-cipher.yaml index b5fcc93378..30ca14a511 100644 --- a/kotlin/lang/security/no-null-cipher.yaml +++ b/kotlin/lang/security/no-null-cipher.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/kotlin/lang/security/unencrypted-socket.yaml b/kotlin/lang/security/unencrypted-socket.yaml index 3b02a2605e..146ca246e1 100644 --- a/kotlin/lang/security/unencrypted-socket.yaml +++ b/kotlin/lang/security/unencrypted-socket.yaml @@ -6,6 +6,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/kotlin/lang/security/use-of-md5.yaml b/kotlin/lang/security/use-of-md5.yaml index 2e62946a74..3237c20fd3 100644 --- a/kotlin/lang/security/use-of-md5.yaml +++ b/kotlin/lang/security/use-of-md5.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 diff --git a/kotlin/lang/security/use-of-sha1.yaml b/kotlin/lang/security/use-of-sha1.yaml index bd306d7c63..8fafd010ca 100644 --- a/kotlin/lang/security/use-of-sha1.yaml +++ b/kotlin/lang/security/use-of-sha1.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 diff --git a/kotlin/lang/security/weak-rsa.yaml b/kotlin/lang/security/weak-rsa.yaml index 49c430b71d..02b11529ea 100644 --- a/kotlin/lang/security/weak-rsa.yaml +++ b/kotlin/lang/security/weak-rsa.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml b/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml index caebbcf098..576b51c375 100644 --- a/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml +++ b/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html diff --git a/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml b/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml index 2dc588a59e..2f8ed063c5 100644 --- a/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml +++ b/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html diff --git a/php/lang/security/assert-use.yaml b/php/lang/security/assert-use.yaml index f24b40664b..82f5672acd 100644 --- a/php/lang/security/assert-use.yaml +++ b/php/lang/security/assert-use.yaml @@ -24,6 +24,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" references: diff --git a/php/lang/security/audit/assert-use-audit.yaml b/php/lang/security/audit/assert-use-audit.yaml index e7e0791705..faa29e9a26 100644 --- a/php/lang/security/audit/assert-use-audit.yaml +++ b/php/lang/security/audit/assert-use-audit.yaml @@ -12,6 +12,7 @@ rules: metadata: owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" references: diff --git a/php/lang/security/audit/openssl-decrypt-validate.yaml b/php/lang/security/audit/openssl-decrypt-validate.yaml index 8df5710ebb..49a19e6ab6 100644 --- a/php/lang/security/audit/openssl-decrypt-validate.yaml +++ b/php/lang/security/audit/openssl-decrypt-validate.yaml @@ -63,6 +63,7 @@ rules: - 'CWE-252: Unchecked Return Value' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures technology: - php - openssl diff --git a/php/lang/security/audit/sha224-hash.yaml b/php/lang/security/audit/sha224-hash.yaml index 5623512ba9..e7fefc742d 100644 --- a/php/lang/security/audit/sha224-hash.yaml +++ b/php/lang/security/audit/sha224-hash.yaml @@ -23,6 +23,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/php/lang/security/backticks-use.yaml b/php/lang/security/backticks-use.yaml index a94943c47b..1498020813 100644 --- a/php/lang/security/backticks-use.yaml +++ b/php/lang/security/backticks-use.yaml @@ -14,6 +14,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/php/lang/security/curl-ssl-verifypeer-off.yaml b/php/lang/security/curl-ssl-verifypeer-off.yaml index d3f5e8e668..9b3b3f8cb3 100644 --- a/php/lang/security/curl-ssl-verifypeer-off.yaml +++ b/php/lang/security/curl-ssl-verifypeer-off.yaml @@ -24,6 +24,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/php/lang/security/deserialization.yaml b/php/lang/security/deserialization.yaml index a35a4f8861..28365b011f 100644 --- a/php/lang/security/deserialization.yaml +++ b/php/lang/security/deserialization.yaml @@ -21,6 +21,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures technology: - php references: diff --git a/php/lang/security/eval-use.yaml b/php/lang/security/eval-use.yaml index 3d0f753b6c..4133e3d9b9 100644 --- a/php/lang/security/eval-use.yaml +++ b/php/lang/security/eval-use.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/php/lang/security/exec-use.yaml b/php/lang/security/exec-use.yaml index 8eef408f62..680a8b8510 100644 --- a/php/lang/security/exec-use.yaml +++ b/php/lang/security/exec-use.yaml @@ -18,6 +18,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/php/lang/security/file-inclusion.yaml b/php/lang/security/file-inclusion.yaml index 3cefe23c7a..e75ebcc1ed 100644 --- a/php/lang/security/file-inclusion.yaml +++ b/php/lang/security/file-inclusion.yaml @@ -18,6 +18,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection subcategory: - audit likelihood: LOW diff --git a/php/lang/security/ftp-use.yaml b/php/lang/security/ftp-use.yaml index aff39b7bf2..980644cec5 100644 --- a/php/lang/security/ftp-use.yaml +++ b/php/lang/security/ftp-use.yaml @@ -19,6 +19,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml index 88f594e82d..bcc3da5424 100644 --- a/php/lang/security/injection/echoed-request.yaml +++ b/php/lang/security/injection/echoed-request.yaml @@ -46,6 +46,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security references: - https://www.php.net/manual/en/function.htmlentities.php diff --git a/php/lang/security/injection/printed-request.yaml b/php/lang/security/injection/printed-request.yaml index 9cf2ebae59..e34b95e673 100644 --- a/php/lang/security/injection/printed-request.yaml +++ b/php/lang/security/injection/printed-request.yaml @@ -46,6 +46,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security references: - https://www.php.net/manual/en/function.htmlentities.php diff --git a/php/lang/security/injection/tainted-callable.yaml b/php/lang/security/injection/tainted-callable.yaml index 89d834c970..4a27a75da4 100644 --- a/php/lang/security/injection/tainted-callable.yaml +++ b/php/lang/security/injection/tainted-callable.yaml @@ -11,6 +11,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.php.net/manual/en/language.types.callable.php subcategory: diff --git a/php/lang/security/injection/tainted-exec.yaml b/php/lang/security/injection/tainted-exec.yaml index b66e106218..5c373a3685 100644 --- a/php/lang/security/injection/tainted-exec.yaml +++ b/php/lang/security/injection/tainted-exec.yaml @@ -13,6 +13,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection subcategory: diff --git a/php/lang/security/injection/tainted-filename.yaml b/php/lang/security/injection/tainted-filename.yaml index a2c1364cf1..2f3c82301b 100644 --- a/php/lang/security/injection/tainted-filename.yaml +++ b/php/lang/security/injection/tainted-filename.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29 cwe2022-top25: true diff --git a/php/lang/security/injection/tainted-object-instantiation.yaml b/php/lang/security/injection/tainted-object-instantiation.yaml index f1c9e5e891..90fda8cae0 100644 --- a/php/lang/security/injection/tainted-object-instantiation.yaml +++ b/php/lang/security/injection/tainted-object-instantiation.yaml @@ -13,6 +13,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection subcategory: diff --git a/php/lang/security/injection/tainted-session.yaml b/php/lang/security/injection/tainted-session.yaml index 0a19e3d9ad..9cc5d51c62 100644 --- a/php/lang/security/injection/tainted-session.yaml +++ b/php/lang/security/injection/tainted-session.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-284: Improper Access Control' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://en.wikipedia.org/wiki/Session_poisoning cwe2022-top25: true diff --git a/php/lang/security/injection/tainted-sql-string.yaml b/php/lang/security/injection/tainted-sql-string.yaml index 6fdc4ea383..06a0a03a75 100644 --- a/php/lang/security/injection/tainted-sql-string.yaml +++ b/php/lang/security/injection/tainted-sql-string.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/SQL_Injection category: security diff --git a/php/lang/security/injection/tainted-url-host.yaml b/php/lang/security/injection/tainted-url-host.yaml index 84b84a9977..30bd6b7c08 100644 --- a/php/lang/security/injection/tainted-url-host.yaml +++ b/php/lang/security/injection/tainted-url-host.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/php/lang/security/ldap-bind-without-password.yaml b/php/lang/security/ldap-bind-without-password.yaml index c9bf6ba96b..09fd50c181 100644 --- a/php/lang/security/ldap-bind-without-password.yaml +++ b/php/lang/security/ldap-bind-without-password.yaml @@ -19,6 +19,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - php diff --git a/php/lang/security/mb-ereg-replace-eval.yaml b/php/lang/security/mb-ereg-replace-eval.yaml index 45fdaf805b..cce7dcdbb8 100644 --- a/php/lang/security/mb-ereg-replace-eval.yaml +++ b/php/lang/security/mb-ereg-replace-eval.yaml @@ -18,6 +18,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/php/lang/security/md5-used-as-password.yaml b/php/lang/security/md5-used-as-password.yaml index d2ae69e035..5d45d279bf 100644 --- a/php/lang/security/md5-used-as-password.yaml +++ b/php/lang/security/md5-used-as-password.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://tools.ietf.org/html/rfc6151 - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision diff --git a/php/lang/security/openssl-cbc-static-iv.yaml b/php/lang/security/openssl-cbc-static-iv.yaml index 25061c1f16..39dce0bf30 100644 --- a/php/lang/security/openssl-cbc-static-iv.yaml +++ b/php/lang/security/openssl-cbc-static-iv.yaml @@ -19,6 +19,7 @@ rules: - https://csrc.nist.gov/publications/detail/sp/800-38a/final owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures technology: - php - openssl diff --git a/php/lang/security/php-permissive-cors.yaml b/php/lang/security/php-permissive-cors.yaml index d8b5bd9e8f..a578b79c47 100644 --- a/php/lang/security/php-permissive-cors.yaml +++ b/php/lang/security/php-permissive-cors.yaml @@ -18,6 +18,7 @@ rules: - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security diff --git a/php/lang/security/php-ssrf.yaml b/php/lang/security/php-ssrf.yaml index ff6401bc3f..3f5f0fd1d7 100644 --- a/php/lang/security/php-ssrf.yaml +++ b/php/lang/security/php-ssrf.yaml @@ -38,6 +38,7 @@ rules: - php owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe2022-top25: true subcategory: - audit diff --git a/php/lang/security/phpinfo-use.yaml b/php/lang/security/phpinfo-use.yaml index c8182fd89a..061c5e8e06 100644 --- a/php/lang/security/phpinfo-use.yaml +++ b/php/lang/security/phpinfo-use.yaml @@ -14,6 +14,7 @@ rules: - php owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - vuln diff --git a/php/lang/security/redirect-to-request-uri.yaml b/php/lang/security/redirect-to-request-uri.yaml index 73076b07ce..65ce799bd8 100644 --- a/php/lang/security/redirect-to-request-uri.yaml +++ b/php/lang/security/redirect-to-request-uri.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" likelihood: MEDIUM diff --git a/php/lang/security/tainted-exec.yaml b/php/lang/security/tainted-exec.yaml index 118fbc3e9e..450404a15d 100644 --- a/php/lang/security/tainted-exec.yaml +++ b/php/lang/security/tainted-exec.yaml @@ -30,6 +30,7 @@ rules: - php owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - vuln diff --git a/php/lang/security/unlink-use.yaml b/php/lang/security/unlink-use.yaml index ddf432ac8b..71afce339a 100644 --- a/php/lang/security/unlink-use.yaml +++ b/php/lang/security/unlink-use.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" cwe2022-top25: true diff --git a/php/lang/security/unserialize-use.yaml b/php/lang/security/unserialize-use.yaml index 0a55e4fa17..d15fbaeede 100644 --- a/php/lang/security/unserialize-use.yaml +++ b/php/lang/security/unserialize-use.yaml @@ -17,6 +17,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' cwe2022-top25: true diff --git a/php/lang/security/weak-crypto.yaml b/php/lang/security/weak-crypto.yaml index 668bdc154a..710663efc4 100644 --- a/php/lang/security/weak-crypto.yaml +++ b/php/lang/security/weak-crypto.yaml @@ -24,6 +24,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW diff --git a/php/laravel/security/laravel-active-debug-code.yaml b/php/laravel/security/laravel-active-debug-code.yaml index 872217982c..e2525b9169 100644 --- a/php/laravel/security/laravel-active-debug-code.yaml +++ b/php/laravel/security/laravel-active-debug-code.yaml @@ -22,6 +22,7 @@ rules: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - php - laravel diff --git a/php/laravel/security/laravel-api-route-sql-injection.yaml b/php/laravel/security/laravel-api-route-sql-injection.yaml index ccd367b6b0..434e4524ad 100644 --- a/php/laravel/security/laravel-api-route-sql-injection.yaml +++ b/php/laravel/security/laravel-api-route-sql-injection.yaml @@ -26,6 +26,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md technology: diff --git a/php/laravel/security/laravel-blade-form-missing-csrf.yaml b/php/laravel/security/laravel-blade-form-missing-csrf.yaml index 7c87ef865d..ff6518a15a 100644 --- a/php/laravel/security/laravel-blade-form-missing-csrf.yaml +++ b/php/laravel/security/laravel-blade-form-missing-csrf.yaml @@ -17,6 +17,7 @@ rules: cwe2022-top25: true owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://laravel.com/docs/9.x/csrf subcategory: diff --git a/php/laravel/security/laravel-cookie-http-only.yaml b/php/laravel/security/laravel-cookie-http-only.yaml index 6b41f059ad..a54b26e41c 100644 --- a/php/laravel/security/laravel-cookie-http-only.yaml +++ b/php/laravel/security/laravel-cookie-http-only.yaml @@ -38,6 +38,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - php - laravel diff --git a/php/laravel/security/laravel-cookie-long-timeout.yaml b/php/laravel/security/laravel-cookie-long-timeout.yaml index 6103e1f898..00c7762ae5 100644 --- a/php/laravel/security/laravel-cookie-long-timeout.yaml +++ b/php/laravel/security/laravel-cookie-long-timeout.yaml @@ -32,6 +32,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - php - laravel diff --git a/php/laravel/security/laravel-cookie-null-domain.yaml b/php/laravel/security/laravel-cookie-null-domain.yaml index 9140740984..a3517b901d 100644 --- a/php/laravel/security/laravel-cookie-null-domain.yaml +++ b/php/laravel/security/laravel-cookie-null-domain.yaml @@ -37,6 +37,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - php - laravel diff --git a/php/laravel/security/laravel-cookie-same-site.yaml b/php/laravel/security/laravel-cookie-same-site.yaml index 51abea6df2..94ebd834db 100644 --- a/php/laravel/security/laravel-cookie-same-site.yaml +++ b/php/laravel/security/laravel-cookie-same-site.yaml @@ -43,6 +43,7 @@ rules: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - php - laravel diff --git a/php/laravel/security/laravel-cookie-secure-set.yaml b/php/laravel/security/laravel-cookie-secure-set.yaml index 327132731d..2f2c248e75 100644 --- a/php/laravel/security/laravel-cookie-secure-set.yaml +++ b/php/laravel/security/laravel-cookie-secure-set.yaml @@ -38,6 +38,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - php - laravel diff --git a/php/laravel/security/laravel-dangerous-model-construction.yaml b/php/laravel/security/laravel-dangerous-model-construction.yaml index e5d86cf6e9..d25b88236c 100644 --- a/php/laravel/security/laravel-dangerous-model-construction.yaml +++ b/php/laravel/security/laravel-dangerous-model-construction.yaml @@ -24,6 +24,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW diff --git a/php/laravel/security/laravel-sql-injection.yaml b/php/laravel/security/laravel-sql-injection.yaml index 820751b267..0fd592fd47 100644 --- a/php/laravel/security/laravel-sql-injection.yaml +++ b/php/laravel/security/laravel-sql-injection.yaml @@ -4,6 +4,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" category: security diff --git a/php/laravel/security/laravel-unsafe-validator.yaml b/php/laravel/security/laravel-unsafe-validator.yaml index 3a582d4bcd..9c1a574d9b 100644 --- a/php/laravel/security/laravel-unsafe-validator.yaml +++ b/php/laravel/security/laravel-unsafe-validator.yaml @@ -50,6 +50,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - php - laravel diff --git a/php/symfony/security/audit/symfony-csrf-protection-disabled.yaml b/php/symfony/security/audit/symfony-csrf-protection-disabled.yaml index fac8ae715b..4fc4381a8f 100644 --- a/php/symfony/security/audit/symfony-csrf-protection-disabled.yaml +++ b/php/symfony/security/audit/symfony-csrf-protection-disabled.yaml @@ -25,6 +25,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - symfony diff --git a/php/symfony/security/audit/symfony-non-literal-redirect.yaml b/php/symfony/security/audit/symfony-non-literal-redirect.yaml index 0704a27e11..ea44b1d1c5 100644 --- a/php/symfony/security/audit/symfony-non-literal-redirect.yaml +++ b/php/symfony/security/audit/symfony-non-literal-redirect.yaml @@ -16,6 +16,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" category: security diff --git a/php/symfony/security/audit/symfony-permissive-cors.yaml b/php/symfony/security/audit/symfony-permissive-cors.yaml index 264f239c9e..c0dfab7a9a 100644 --- a/php/symfony/security/audit/symfony-permissive-cors.yaml +++ b/php/symfony/security/audit/symfony-permissive-cors.yaml @@ -31,6 +31,7 @@ rules: - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security diff --git a/php/wordpress-plugins/security/audit/wp-ajax-no-auth-and-auth-hooks-audit.yaml b/php/wordpress-plugins/security/audit/wp-ajax-no-auth-and-auth-hooks-audit.yaml index c6bdcb4025..f63c4a8637 100644 --- a/php/wordpress-plugins/security/audit/wp-ajax-no-auth-and-auth-hooks-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-ajax-no-auth-and-auth-hooks-audit.yaml @@ -29,5 +29,6 @@ rules: - https://developer.wordpress.org/reference/hooks/wp_ajax_action/ owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-285: Improper Authorization" diff --git a/php/wordpress-plugins/security/audit/wp-authorisation-checks-audit.yaml b/php/wordpress-plugins/security/audit/wp-authorisation-checks-audit.yaml index 6f1e1d7f83..d840e07d51 100644 --- a/php/wordpress-plugins/security/audit/wp-authorisation-checks-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-authorisation-checks-audit.yaml @@ -27,5 +27,6 @@ rules: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#authorisation owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-285: Improper Authorization" diff --git a/php/wordpress-plugins/security/audit/wp-code-execution-audit.yaml b/php/wordpress-plugins/security/audit/wp-code-execution-audit.yaml index 20ac377e23..42c37eda79 100644 --- a/php/wordpress-plugins/security/audit/wp-code-execution-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-code-execution-audit.yaml @@ -28,5 +28,6 @@ rules: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-code-execution owasp: - "A03:2021 - Injection" + - A05:2025 - Injection cwe: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" diff --git a/php/wordpress-plugins/security/audit/wp-command-execution-audit.yaml b/php/wordpress-plugins/security/audit/wp-command-execution-audit.yaml index 62fd6792a5..79d3615376 100644 --- a/php/wordpress-plugins/security/audit/wp-command-execution-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-command-execution-audit.yaml @@ -29,5 +29,6 @@ rules: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution owasp: - "A03:2021 - Injection" + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" diff --git a/php/wordpress-plugins/security/audit/wp-csrf-audit.yaml b/php/wordpress-plugins/security/audit/wp-csrf-audit.yaml index f70a451f0c..403827f3ca 100644 --- a/php/wordpress-plugins/security/audit/wp-csrf-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-csrf-audit.yaml @@ -24,5 +24,6 @@ rules: - https://developer.wordpress.org/reference/functions/check_ajax_referer/ owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - "CWE-352: Cross-Site Request Forgery (CSRF)" diff --git a/php/wordpress-plugins/security/audit/wp-file-download-audit.yaml b/php/wordpress-plugins/security/audit/wp-file-download-audit.yaml index c68129820b..a6d99e292e 100644 --- a/php/wordpress-plugins/security/audit/wp-file-download-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-file-download-audit.yaml @@ -30,3 +30,4 @@ rules: - "CWE-73: External Control of File Name or Path" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control diff --git a/php/wordpress-plugins/security/audit/wp-file-inclusion-audit.yaml b/php/wordpress-plugins/security/audit/wp-file-inclusion-audit.yaml index 57b15031ee..b8318f6ed7 100644 --- a/php/wordpress-plugins/security/audit/wp-file-inclusion-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-file-inclusion-audit.yaml @@ -31,6 +31,8 @@ rules: owasp: - A01:2021 - Broken Access Control - A08:2021 - Software and Data Integrity Failures + - A01:2025 - Broken Access Control + - A08:2025 - Software or Data Integrity Failures cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - "CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations." diff --git a/php/wordpress-plugins/security/audit/wp-file-manipulation-audit.yaml b/php/wordpress-plugins/security/audit/wp-file-manipulation-audit.yaml index 9b929d4f4e..d7ee6ac7ed 100644 --- a/php/wordpress-plugins/security/audit/wp-file-manipulation-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-file-manipulation-audit.yaml @@ -27,6 +27,8 @@ rules: owasp: - A01:2021 - Broken Access Control - A08:2021 - Software and Data Integrity Failures + - A01:2025 - Broken Access Control + - A08:2025 - Software or Data Integrity Failures cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - "CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations." diff --git a/php/wordpress-plugins/security/audit/wp-open-redirect-audit.yaml b/php/wordpress-plugins/security/audit/wp-open-redirect-audit.yaml index ce3e107c78..55e26be417 100644 --- a/php/wordpress-plugins/security/audit/wp-open-redirect-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-open-redirect-audit.yaml @@ -27,3 +27,4 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration diff --git a/php/wordpress-plugins/security/audit/wp-php-object-injection-audit.yaml b/php/wordpress-plugins/security/audit/wp-php-object-injection-audit.yaml index 03751590b1..26771defff 100644 --- a/php/wordpress-plugins/security/audit/wp-php-object-injection-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-php-object-injection-audit.yaml @@ -30,3 +30,4 @@ rules: - "CWE-502: Deserialization of Untrusted Data" owasp: - A03:2021 - Injection + - A05:2025 - Injection diff --git a/php/wordpress-plugins/security/audit/wp-sql-injection-audit.yaml b/php/wordpress-plugins/security/audit/wp-sql-injection-audit.yaml index b5965a2ff1..b38ee9acd9 100644 --- a/php/wordpress-plugins/security/audit/wp-sql-injection-audit.yaml +++ b/php/wordpress-plugins/security/audit/wp-sql-injection-audit.yaml @@ -38,5 +38,6 @@ rules: - https://owasp.org/www-community/attacks/SQL_Injection owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" diff --git a/problem-based-packs/insecure-transport/js-node/using-http-server.yaml b/problem-based-packs/insecure-transport/js-node/using-http-server.yaml index 46e15b2c6a..baa1545e9f 100644 --- a/problem-based-packs/insecure-transport/js-node/using-http-server.yaml +++ b/problem-based-packs/insecure-transport/js-node/using-http-server.yaml @@ -16,6 +16,7 @@ rules: owasp: - A02:2021 - Cryptographic Failures - A03:2017 - Sensitive Data Exposure + - A04:2025 - Cryptographic Failures references: - https://nodejs.org/api/http.html#http_class_http_agent - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY diff --git a/python/airflow/security/audit/formatted-string-bashoperator.yaml b/python/airflow/security/audit/formatted-string-bashoperator.yaml index ec2468249e..8ebfd25997 100644 --- a/python/airflow/security/audit/formatted-string-bashoperator.yaml +++ b/python/airflow/security/audit/formatted-string-bashoperator.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - airflow diff --git a/python/aws-lambda/security/dangerous-asyncio-create-exec.yaml b/python/aws-lambda/security/dangerous-asyncio-create-exec.yaml index 0d8128212b..05358a3fab 100644 --- a/python/aws-lambda/security/dangerous-asyncio-create-exec.yaml +++ b/python/aws-lambda/security/dangerous-asyncio-create-exec.yaml @@ -33,6 +33,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/aws-lambda/security/dangerous-asyncio-exec.yaml b/python/aws-lambda/security/dangerous-asyncio-exec.yaml index b7c0520b26..3737265cb3 100644 --- a/python/aws-lambda/security/dangerous-asyncio-exec.yaml +++ b/python/aws-lambda/security/dangerous-asyncio-exec.yaml @@ -27,6 +27,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/aws-lambda/security/dangerous-asyncio-shell.yaml b/python/aws-lambda/security/dangerous-asyncio-shell.yaml index 6aa9f1d89c..0e850a9c6e 100644 --- a/python/aws-lambda/security/dangerous-asyncio-shell.yaml +++ b/python/aws-lambda/security/dangerous-asyncio-shell.yaml @@ -24,6 +24,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/aws-lambda/security/dangerous-spawn-process.yaml b/python/aws-lambda/security/dangerous-spawn-process.yaml index a0ba55947b..baa8be415a 100644 --- a/python/aws-lambda/security/dangerous-spawn-process.yaml +++ b/python/aws-lambda/security/dangerous-spawn-process.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection diff --git a/python/aws-lambda/security/dangerous-subprocess-use.yaml b/python/aws-lambda/security/dangerous-subprocess-use.yaml index 9889325883..749484ebb8 100644 --- a/python/aws-lambda/security/dangerous-subprocess-use.yaml +++ b/python/aws-lambda/security/dangerous-subprocess-use.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/aws-lambda/security/dangerous-system-call.yaml b/python/aws-lambda/security/dangerous-system-call.yaml index c80df61098..c674cbcb14 100644 --- a/python/aws-lambda/security/dangerous-system-call.yaml +++ b/python/aws-lambda/security/dangerous-system-call.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features diff --git a/python/aws-lambda/security/mysql-sqli.yaml b/python/aws-lambda/security/mysql-sqli.yaml index 8e16a3234e..8aebdffdec 100644 --- a/python/aws-lambda/security/mysql-sqli.yaml +++ b/python/aws-lambda/security/mysql-sqli.yaml @@ -18,6 +18,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/aws-lambda/security/psycopg-sqli.yaml b/python/aws-lambda/security/psycopg-sqli.yaml index 2fc0bb5158..44062eafd0 100644 --- a/python/aws-lambda/security/psycopg-sqli.yaml +++ b/python/aws-lambda/security/psycopg-sqli.yaml @@ -19,6 +19,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/aws-lambda/security/pymssql-sqli.yaml b/python/aws-lambda/security/pymssql-sqli.yaml index 4ec90450f7..23b68982ea 100644 --- a/python/aws-lambda/security/pymssql-sqli.yaml +++ b/python/aws-lambda/security/pymssql-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/aws-lambda/security/pymysql-sqli.yaml b/python/aws-lambda/security/pymysql-sqli.yaml index 47b022712d..3725bd0c30 100644 --- a/python/aws-lambda/security/pymysql-sqli.yaml +++ b/python/aws-lambda/security/pymysql-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/aws-lambda/security/sqlalchemy-sqli.yaml b/python/aws-lambda/security/sqlalchemy-sqli.yaml index b72b3693cd..c7c9d2ed69 100644 --- a/python/aws-lambda/security/sqlalchemy-sqli.yaml +++ b/python/aws-lambda/security/sqlalchemy-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/aws-lambda/security/tainted-code-exec.yaml b/python/aws-lambda/security/tainted-code-exec.yaml index 028bd41a51..37a6fb0c6a 100644 --- a/python/aws-lambda/security/tainted-code-exec.yaml +++ b/python/aws-lambda/security/tainted-code-exec.yaml @@ -22,6 +22,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features diff --git a/python/aws-lambda/security/tainted-html-response.yaml b/python/aws-lambda/security/tainted-html-response.yaml index f6772a124e..184861a437 100644 --- a/python/aws-lambda/security/tainted-html-response.yaml +++ b/python/aws-lambda/security/tainted-html-response.yaml @@ -23,6 +23,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - aws-lambda diff --git a/python/aws-lambda/security/tainted-html-string.yaml b/python/aws-lambda/security/tainted-html-string.yaml index be64ec4308..4ef0f99021 100644 --- a/python/aws-lambda/security/tainted-html-string.yaml +++ b/python/aws-lambda/security/tainted-html-string.yaml @@ -17,6 +17,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - aws-lambda diff --git a/python/aws-lambda/security/tainted-pickle-deserialization.yaml b/python/aws-lambda/security/tainted-pickle-deserialization.yaml index d19548d96a..81a26e930c 100644 --- a/python/aws-lambda/security/tainted-pickle-deserialization.yaml +++ b/python/aws-lambda/security/tainted-pickle-deserialization.yaml @@ -29,6 +29,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/aws-lambda/security/tainted-sql-string.yaml b/python/aws-lambda/security/tainted-sql-string.yaml index 35ecaa3172..b6e0dc94fc 100644 --- a/python/aws-lambda/security/tainted-sql-string.yaml +++ b/python/aws-lambda/security/tainted-sql-string.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/python/boto3/security/hardcoded-token.yaml b/python/boto3/security/hardcoded-token.yaml index ed1f94c415..3e1da1522f 100644 --- a/python/boto3/security/hardcoded-token.yaml +++ b/python/boto3/security/hardcoded-token.yaml @@ -15,6 +15,7 @@ rules: - https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/ owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - boto3 diff --git a/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml b/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml index d144ff1d60..9ac925709b 100644 --- a/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml @@ -14,6 +14,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers diff --git a/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml b/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml index 2005b698c6..811710ba09 100644 --- a/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers diff --git a/python/cryptography/security/insecure-cipher-algorithms.yaml b/python/cryptography/security/insecure-cipher-algorithms.yaml index 37289904a8..a3cc5eb6a1 100644 --- a/python/cryptography/security/insecure-cipher-algorithms.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms.yaml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://tools.ietf.org/html/rfc5469 diff --git a/python/cryptography/security/insecure-cipher-mode-ecb.yaml b/python/cryptography/security/insecure-cipher-mode-ecb.yaml index 8f48154191..8ef27f0672 100644 --- a/python/cryptography/security/insecure-cipher-mode-ecb.yaml +++ b/python/cryptography/security/insecure-cipher-mode-ecb.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B305 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes diff --git a/python/cryptography/security/insecure-hash-algorithms-md5.yaml b/python/cryptography/security/insecure-hash-algorithms-md5.yaml index b34cf9b516..05a548ee95 100644 --- a/python/cryptography/security/insecure-hash-algorithms-md5.yaml +++ b/python/cryptography/security/insecure-hash-algorithms-md5.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B303 references: - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5 diff --git a/python/cryptography/security/insecure-hash-algorithms.yaml b/python/cryptography/security/insecure-hash-algorithms.yaml index c6291bef49..2db08e1389 100644 --- a/python/cryptography/security/insecure-hash-algorithms.yaml +++ b/python/cryptography/security/insecure-hash-algorithms.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B303 references: - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1 diff --git a/python/cryptography/security/insufficient-dsa-key-size.yaml b/python/cryptography/security/insufficient-dsa-key-size.yaml index 6976642173..0bac32e129 100644 --- a/python/cryptography/security/insufficient-dsa-key-size.yaml +++ b/python/cryptography/security/insufficient-dsa-key-size.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf diff --git a/python/cryptography/security/insufficient-ec-key-size.yaml b/python/cryptography/security/insufficient-ec-key-size.yaml index 755d001639..752336c18e 100644 --- a/python/cryptography/security/insufficient-ec-key-size.yaml +++ b/python/cryptography/security/insufficient-ec-key-size.yaml @@ -21,6 +21,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf diff --git a/python/cryptography/security/insufficient-rsa-key-size.yaml b/python/cryptography/security/insufficient-rsa-key-size.yaml index 1ec1dcd035..60c9277604 100644 --- a/python/cryptography/security/insufficient-rsa-key-size.yaml +++ b/python/cryptography/security/insufficient-rsa-key-size.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/ diff --git a/python/cryptography/security/mode-without-authentication.yaml b/python/cryptography/security/mode-without-authentication.yaml index 6da2b44226..7f84e921a1 100644 --- a/python/cryptography/security/mode-without-authentication.yaml +++ b/python/cryptography/security/mode-without-authentication.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: diff --git a/python/distributed/security.yaml b/python/distributed/security.yaml index 88fd4b0472..866e4f1e41 100644 --- a/python/distributed/security.yaml +++ b/python/distributed/security.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters category: security diff --git a/python/django/security/audit/avoid-insecure-deserialization.yaml b/python/django/security/audit/avoid-insecure-deserialization.yaml index 18387ca191..873ea88c91 100644 --- a/python/django/security/audit/avoid-insecure-deserialization.yaml +++ b/python/django/security/audit/avoid-insecure-deserialization.yaml @@ -4,6 +4,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/django/security/audit/avoid-mark-safe.yaml b/python/django/security/audit/avoid-mark-safe.yaml index ee832ca9bf..34b42ebb56 100644 --- a/python/django/security/audit/avoid-mark-safe.yaml +++ b/python/django/security/audit/avoid-mark-safe.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html diff --git a/python/django/security/audit/csrf-exempt.yaml b/python/django/security/audit/csrf-exempt.yaml index 3a86053e9c..47e3d17beb 100644 --- a/python/django/security/audit/csrf-exempt.yaml +++ b/python/django/security/audit/csrf-exempt.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - django diff --git a/python/django/security/audit/custom-expression-as-sql.yaml b/python/django/security/audit/custom-expression-as-sql.yaml index b2d532d346..294d4200cd 100644 --- a/python/django/security/audit/custom-expression-as-sql.yaml +++ b/python/django/security/audit/custom-expression-as-sql.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ diff --git a/python/django/security/audit/django-rest-framework/missing-throttle-config.yaml b/python/django/security/audit/django-rest-framework/missing-throttle-config.yaml index 823c99a1d5..a195817c40 100644 --- a/python/django/security/audit/django-rest-framework/missing-throttle-config.yaml +++ b/python/django/security/audit/django-rest-framework/missing-throttle-config.yaml @@ -19,6 +19,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-770: Allocation of Resources Without Limits or Throttling' references: diff --git a/python/django/security/audit/extends-custom-expression.yaml b/python/django/security/audit/extends-custom-expression.yaml index df469ab262..378019d3e0 100644 --- a/python/django/security/audit/extends-custom-expression.yaml +++ b/python/django/security/audit/extends-custom-expression.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ diff --git a/python/django/security/audit/query-set-extra.yaml b/python/django/security/audit/query-set-extra.yaml index ab742ecc62..ab43ab0818 100644 --- a/python/django/security/audit/query-set-extra.yaml +++ b/python/django/security/audit/query-set-extra.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ diff --git a/python/django/security/audit/raw-query.yaml b/python/django/security/audit/raw-query.yaml index 905a30c925..b6e420e670 100644 --- a/python/django/security/audit/raw-query.yaml +++ b/python/django/security/audit/raw-query.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ diff --git a/python/django/security/audit/secure-cookies.yaml b/python/django/security/audit/secure-cookies.yaml index 2d6474b784..3cd11a2623 100644 --- a/python/django/security/audit/secure-cookies.yaml +++ b/python/django/security/audit/secure-cookies.yaml @@ -37,6 +37,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.4 Missing Cookie Attributes diff --git a/python/django/security/audit/unvalidated-password.yaml b/python/django/security/audit/unvalidated-password.yaml index 36cb364f09..0a0f0465fa 100644 --- a/python/django/security/audit/unvalidated-password.yaml +++ b/python/django/security/audit/unvalidated-password.yaml @@ -39,6 +39,7 @@ rules: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation category: security diff --git a/python/django/security/audit/xss/class-extends-safestring.yaml b/python/django/security/audit/xss/class-extends-safestring.yaml index 5476654066..5221aa151e 100644 --- a/python/django/security/audit/xss/class-extends-safestring.yaml +++ b/python/django/security/audit/xss/class-extends-safestring.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping - https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11 diff --git a/python/django/security/audit/xss/context-autoescape-off.yaml b/python/django/security/audit/xss/context-autoescape-off.yaml index 0300270a50..508ab11dc4 100644 --- a/python/django/security/audit/xss/context-autoescape-off.yaml +++ b/python/django/security/audit/xss/context-autoescape-off.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/settings/#templates - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates diff --git a/python/django/security/audit/xss/direct-use-of-httpresponse.yaml b/python/django/security/audit/xss/direct-use-of-httpresponse.yaml index c7c1e20615..b7e1a8804b 100644 --- a/python/django/security/audit/xss/direct-use-of-httpresponse.yaml +++ b/python/django/security/audit/xss/direct-use-of-httpresponse.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render - https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render diff --git a/python/django/security/audit/xss/filter-with-is-safe.yaml b/python/django/security/audit/xss/filter-with-is-safe.yaml index 5cdb3ac781..4220fd99f5 100644 --- a/python/django/security/audit/xss/filter-with-is-safe.yaml +++ b/python/django/security/audit/xss/filter-with-is-safe.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping diff --git a/python/django/security/audit/xss/formathtml-fstring-parameter.yaml b/python/django/security/audit/xss/formathtml-fstring-parameter.yaml index cdeb2d0746..7c63093d46 100644 --- a/python/django/security/audit/xss/formathtml-fstring-parameter.yaml +++ b/python/django/security/audit/xss/formathtml-fstring-parameter.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html category: security diff --git a/python/django/security/audit/xss/global-autoescape-off.yaml b/python/django/security/audit/xss/global-autoescape-off.yaml index 12245e505a..81b4e93d34 100644 --- a/python/django/security/audit/xss/global-autoescape-off.yaml +++ b/python/django/security/audit/xss/global-autoescape-off.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/settings/#templates - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates diff --git a/python/django/security/audit/xss/html-magic-method.yaml b/python/django/security/audit/xss/html-magic-method.yaml index 449899f85a..4331fa5226 100644 --- a/python/django/security/audit/xss/html-magic-method.yaml +++ b/python/django/security/audit/xss/html-magic-method.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5 diff --git a/python/django/security/audit/xss/html-safe.yaml b/python/django/security/audit/xss/html-safe.yaml index 4138b7741a..ceaf90d0df 100644 --- a/python/django/security/audit/xss/html-safe.yaml +++ b/python/django/security/audit/xss/html-safe.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5 diff --git a/python/django/security/audit/xss/template-autoescape-off.yaml b/python/django/security/audit/xss/template-autoescape-off.yaml index e7144093ed..1ccf997ff9 100644 --- a/python/django/security/audit/xss/template-autoescape-off.yaml +++ b/python/django/security/audit/xss/template-autoescape-off.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape category: security diff --git a/python/django/security/audit/xss/template-blocktranslate-no-escape.yaml b/python/django/security/audit/xss/template-blocktranslate-no-escape.yaml index 494e202ac3..dc6ed6d057 100644 --- a/python/django/security/audit/xss/template-blocktranslate-no-escape.yaml +++ b/python/django/security/audit/xss/template-blocktranslate-no-escape.yaml @@ -31,6 +31,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code diff --git a/python/django/security/audit/xss/template-translate-as-no-escape.yaml b/python/django/security/audit/xss/template-translate-as-no-escape.yaml index 4ca6012589..eeaaa60973 100644 --- a/python/django/security/audit/xss/template-translate-as-no-escape.yaml +++ b/python/django/security/audit/xss/template-translate-as-no-escape.yaml @@ -114,6 +114,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code diff --git a/python/django/security/audit/xss/template-var-unescaped-with-safeseq.yaml b/python/django/security/audit/xss/template-var-unescaped-with-safeseq.yaml index ca84ad8142..3faa0ff1a8 100644 --- a/python/django/security/audit/xss/template-var-unescaped-with-safeseq.yaml +++ b/python/django/security/audit/xss/template-var-unescaped-with-safeseq.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq category: security diff --git a/python/django/security/globals-as-template-context.yaml b/python/django/security/globals-as-template-context.yaml index fd2a37bce5..c90135eebf 100644 --- a/python/django/security/globals-as-template-context.yaml +++ b/python/django/security/globals-as-template-context.yaml @@ -15,6 +15,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/settings/#templates - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates diff --git a/python/django/security/injection/code/globals-misuse-code-execution.yaml b/python/django/security/injection/code/globals-misuse-code-execution.yaml index 4429c3993c..71a171a095 100644 --- a/python/django/security/injection/code/globals-misuse-code-execution.yaml +++ b/python/django/security/injection/code/globals-misuse-code-execution.yaml @@ -9,6 +9,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186 category: security diff --git a/python/django/security/injection/code/user-eval-format-string.yaml b/python/django/security/injection/code/user-eval-format-string.yaml index dbba33474d..1ae59f01cd 100644 --- a/python/django/security/injection/code/user-eval-format-string.yaml +++ b/python/django/security/injection/code/user-eval-format-string.yaml @@ -9,6 +9,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html category: security diff --git a/python/django/security/injection/code/user-eval.yaml b/python/django/security/injection/code/user-eval.yaml index fed80ffc2f..1b98046ebd 100644 --- a/python/django/security/injection/code/user-eval.yaml +++ b/python/django/security/injection/code/user-eval.yaml @@ -10,6 +10,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html - https://owasp.org/www-community/attacks/Code_Injection diff --git a/python/django/security/injection/code/user-exec-format-string.yaml b/python/django/security/injection/code/user-exec-format-string.yaml index 04c914e338..30ca0b0dcf 100644 --- a/python/django/security/injection/code/user-exec-format-string.yaml +++ b/python/django/security/injection/code/user-exec-format-string.yaml @@ -10,6 +10,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - django diff --git a/python/django/security/injection/code/user-exec.yaml b/python/django/security/injection/code/user-exec.yaml index 5d3a4f4a26..91d986f2ad 100644 --- a/python/django/security/injection/code/user-exec.yaml +++ b/python/django/security/injection/code/user-exec.yaml @@ -10,6 +10,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - django diff --git a/python/django/security/injection/command/command-injection-os-system.yaml b/python/django/security/injection/command/command-injection-os-system.yaml index 2d5ae32c5e..72c611d49a 100644 --- a/python/django/security/injection/command/command-injection-os-system.yaml +++ b/python/django/security/injection/command/command-injection-os-system.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security diff --git a/python/django/security/injection/command/subprocess-injection.yaml b/python/django/security/injection/command/subprocess-injection.yaml index b5f57e841a..72415276cd 100644 --- a/python/django/security/injection/command/subprocess-injection.yaml +++ b/python/django/security/injection/command/subprocess-injection.yaml @@ -56,6 +56,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: diff --git a/python/django/security/injection/csv-writer-injection.yaml b/python/django/security/injection/csv-writer-injection.yaml index cb32a0071d..c937e3ef67 100644 --- a/python/django/security/injection/csv-writer-injection.yaml +++ b/python/django/security/injection/csv-writer-injection.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/raphaelm/defusedcsv - https://owasp.org/www-community/attacks/CSV_Injection diff --git a/python/django/security/injection/email/xss-html-email-body.yaml b/python/django/security/injection/email/xss-html-email-body.yaml index 59ed54d8ff..1fdf314c1c 100644 --- a/python/django/security/injection/email/xss-html-email-body.yaml +++ b/python/django/security/injection/email/xss-html-email-body.yaml @@ -9,6 +9,7 @@ rules: - "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.damonkohler.com/2008/12/email-injection.html category: security diff --git a/python/django/security/injection/email/xss-send-mail-html-message.yaml b/python/django/security/injection/email/xss-send-mail-html-message.yaml index ed7fc24683..79f84a9a47 100644 --- a/python/django/security/injection/email/xss-send-mail-html-message.yaml +++ b/python/django/security/injection/email/xss-send-mail-html-message.yaml @@ -9,6 +9,7 @@ rules: - "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.damonkohler.com/2008/12/email-injection.html category: security diff --git a/python/django/security/injection/mass-assignment.yaml b/python/django/security/injection/mass-assignment.yaml index ed944839cd..df3605a5e7 100644 --- a/python/django/security/injection/mass-assignment.yaml +++ b/python/django/security/injection/mass-assignment.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures owaspapi: 'API6: Mass Assignment' references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html diff --git a/python/django/security/injection/open-redirect.yaml b/python/django/security/injection/open-redirect.yaml index 1efa1cc49e..21d1d2110d 100644 --- a/python/django/security/injection/open-redirect.yaml +++ b/python/django/security/injection/open-redirect.yaml @@ -9,6 +9,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/ - https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231 diff --git a/python/django/security/injection/path-traversal/path-traversal-file-name.yaml b/python/django/security/injection/path-traversal/path-traversal-file-name.yaml index c89a2f2a1a..bae8e1aee1 100644 --- a/python/django/security/injection/path-traversal/path-traversal-file-name.yaml +++ b/python/django/security/injection/path-traversal/path-traversal-file-name.yaml @@ -10,6 +10,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security diff --git a/python/django/security/injection/path-traversal/path-traversal-join.yaml b/python/django/security/injection/path-traversal/path-traversal-join.yaml index 8e723ed4ff..c6e0992b93 100644 --- a/python/django/security/injection/path-traversal/path-traversal-join.yaml +++ b/python/django/security/injection/path-traversal/path-traversal-join.yaml @@ -10,6 +10,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security diff --git a/python/django/security/injection/path-traversal/path-traversal-open.yaml b/python/django/security/injection/path-traversal/path-traversal-open.yaml index 5004f58908..bd6c89652b 100644 --- a/python/django/security/injection/path-traversal/path-traversal-open.yaml +++ b/python/django/security/injection/path-traversal/path-traversal-open.yaml @@ -11,6 +11,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security diff --git a/python/django/security/injection/raw-html-format.yaml b/python/django/security/injection/raw-html-format.yaml index a7bd6daf8a..afbc8ace4c 100644 --- a/python/django/security/injection/raw-html-format.yaml +++ b/python/django/security/injection/raw-html-format.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - django diff --git a/python/django/security/injection/reflected-data-httpresponse.yaml b/python/django/security/injection/reflected-data-httpresponse.yaml index ca714cc727..2370c0250a 100644 --- a/python/django/security/injection/reflected-data-httpresponse.yaml +++ b/python/django/security/injection/reflected-data-httpresponse.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security diff --git a/python/django/security/injection/reflected-data-httpresponsebadrequest.yaml b/python/django/security/injection/reflected-data-httpresponsebadrequest.yaml index f1dc204d01..21d8ccdde2 100644 --- a/python/django/security/injection/reflected-data-httpresponsebadrequest.yaml +++ b/python/django/security/injection/reflected-data-httpresponsebadrequest.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security diff --git a/python/django/security/injection/request-data-fileresponse.yaml b/python/django/security/injection/request-data-fileresponse.yaml index a07ed9bb9b..a5a4eb4c00 100644 --- a/python/django/security/injection/request-data-fileresponse.yaml +++ b/python/django/security/injection/request-data-fileresponse.yaml @@ -10,6 +10,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security diff --git a/python/django/security/injection/request-data-write.yaml b/python/django/security/injection/request-data-write.yaml index ac0aa9f5f6..0f9907e791 100644 --- a/python/django/security/injection/request-data-write.yaml +++ b/python/django/security/injection/request-data-write.yaml @@ -11,6 +11,7 @@ rules: - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - django diff --git a/python/django/security/injection/sql/sql-injection-extra.yaml b/python/django/security/injection/sql/sql-injection-extra.yaml index 893c9510da..19e0d2920a 100644 --- a/python/django/security/injection/sql/sql-injection-extra.yaml +++ b/python/django/security/injection/sql/sql-injection-extra.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra category: security diff --git a/python/django/security/injection/sql/sql-injection-rawsql.yaml b/python/django/security/injection/sql/sql-injection-rawsql.yaml index ab955264e1..af5e91961d 100644 --- a/python/django/security/injection/sql/sql-injection-rawsql.yaml +++ b/python/django/security/injection/sql/sql-injection-rawsql.yaml @@ -9,6 +9,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL category: security diff --git a/python/django/security/injection/sql/sql-injection-using-db-cursor-execute.yaml b/python/django/security/injection/sql/sql-injection-using-db-cursor-execute.yaml index b524d7f222..909da721cf 100644 --- a/python/django/security/injection/sql/sql-injection-using-db-cursor-execute.yaml +++ b/python/django/security/injection/sql/sql-injection-using-db-cursor-execute.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security diff --git a/python/django/security/injection/sql/sql-injection-using-raw.yaml b/python/django/security/injection/sql/sql-injection-using-raw.yaml index 5f18567e6d..51260cbcbe 100644 --- a/python/django/security/injection/sql/sql-injection-using-raw.yaml +++ b/python/django/security/injection/sql/sql-injection-using-raw.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security diff --git a/python/django/security/injection/ssrf/ssrf-injection-requests.yaml b/python/django/security/injection/ssrf/ssrf-injection-requests.yaml index c3e25ac07f..01d87b82cc 100644 --- a/python/django/security/injection/ssrf/ssrf-injection-requests.yaml +++ b/python/django/security/injection/ssrf/ssrf-injection-requests.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security diff --git a/python/django/security/injection/ssrf/ssrf-injection-urllib.yaml b/python/django/security/injection/ssrf/ssrf-injection-urllib.yaml index 9a2fe01784..02f2b67215 100644 --- a/python/django/security/injection/ssrf/ssrf-injection-urllib.yaml +++ b/python/django/security/injection/ssrf/ssrf-injection-urllib.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security diff --git a/python/django/security/injection/tainted-sql-string.yaml b/python/django/security/injection/tainted-sql-string.yaml index 2848ebcc47..e545c4dac6 100644 --- a/python/django/security/injection/tainted-sql-string.yaml +++ b/python/django/security/injection/tainted-sql-string.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security diff --git a/python/django/security/injection/tainted-url-host.yaml b/python/django/security/injection/tainted-url-host.yaml index 3b32b25499..f46e34c380 100644 --- a/python/django/security/injection/tainted-url-host.yaml +++ b/python/django/security/injection/tainted-url-host.yaml @@ -13,6 +13,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/python/django/security/locals-as-template-context.yaml b/python/django/security/locals-as-template-context.yaml index 423267f5c9..5a88ef2a86 100644 --- a/python/django/security/locals-as-template-context.yaml +++ b/python/django/security/locals-as-template-context.yaml @@ -15,6 +15,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/settings/#templates - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates diff --git a/python/django/security/passwords/password-empty-string.yaml b/python/django/security/passwords/password-empty-string.yaml index fd89654d0a..ce89fec546 100644 --- a/python/django/security/passwords/password-empty-string.yaml +++ b/python/django/security/passwords/password-empty-string.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password category: security diff --git a/python/django/security/passwords/use-none-for-password-default.yaml b/python/django/security/passwords/use-none-for-password-default.yaml index 134bc4f0f9..1b7a8ab078 100644 --- a/python/django/security/passwords/use-none-for-password-default.yaml +++ b/python/django/security/passwords/use-none-for-password-default.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password category: security diff --git a/python/fastapi/security/wildcard-cors.yaml b/python/fastapi/security/wildcard-cors.yaml index 17d30f4d65..ab93f25d26 100644 --- a/python/fastapi/security/wildcard-cors.yaml +++ b/python/fastapi/security/wildcard-cors.yaml @@ -21,6 +21,7 @@ rules: - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - python diff --git a/python/flask/security/audit/app-run-param-config.yaml b/python/flask/security/audit/app-run-param-config.yaml index 2196342845..9ac58f6e49 100644 --- a/python/flask/security/audit/app-run-param-config.yaml +++ b/python/flask/security/audit/app-run-param-config.yaml @@ -6,6 +6,7 @@ rules: - 'CWE-668: Exposure of Resource to Wrong Sphere' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - flask diff --git a/python/flask/security/audit/app-run-security-config.yaml b/python/flask/security/audit/app-run-security-config.yaml index bd1b86ee40..9c3b6c7a8e 100644 --- a/python/flask/security/audit/app-run-security-config.yaml +++ b/python/flask/security/audit/app-run-security-config.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-668: Exposure of Resource to Wrong Sphere' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - flask diff --git a/python/flask/security/audit/directly-returned-format-string.yaml b/python/flask/security/audit/directly-returned-format-string.yaml index 126499ac96..a1e4f19939 100644 --- a/python/flask/security/audit/directly-returned-format-string.yaml +++ b/python/flask/security/audit/directly-returned-format-string.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - flask diff --git a/python/flask/security/audit/flask-cors-misconfiguration.yaml b/python/flask/security/audit/flask-cors-misconfiguration.yaml index 503f75edf5..d88462872c 100644 --- a/python/flask/security/audit/flask-cors-misconfiguration.yaml +++ b/python/flask/security/audit/flask-cors-misconfiguration.yaml @@ -1,38 +1,39 @@ -rules: - - id: flask-cors-misconfiguration - message: >- - Setting 'support_credentials=True' together with 'origin="*"' is a CORS - misconfiguration that can allow third party origins to read sensitive - data. Using this configuration, flask_cors will dynamically reflects the - Origin of each request in the Access-Control-Allow-Origin header, allowing - all origins and allowing cookies and credentials to be sent along with - request. It is recommended to specify allowed origins instead of using "*" - when setting 'support_credentials=True'. - languages: - - python - severity: WARNING - patterns: - - pattern-either: - - pattern: | - @cross_origin(..., origins="*", supports_credentials=True, ...) - - pattern: | - CORS(..., supports_credentials=True, origins="*", ...) - - pattern: | - CORS(..., resources={"...": {...,"origins": "*", - "supports_credentials": True,...}}) - metadata: - category: security - subcategory: - - audit - cwe: - - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" - owasp: - - A07:2021 - Identification and Authentication Failures - confidence: LOW - likelihood: LOW - impact: HIGH - technology: - - flask - references: - - https://pypi.org/project/Flask-Cors/ - - https://flask-cors.readthedocs.io/en/latest/index.html +rules: + - id: flask-cors-misconfiguration + message: >- + Setting 'support_credentials=True' together with 'origin="*"' is a CORS + misconfiguration that can allow third party origins to read sensitive + data. Using this configuration, flask_cors will dynamically reflects the + Origin of each request in the Access-Control-Allow-Origin header, allowing + all origins and allowing cookies and credentials to be sent along with + request. It is recommended to specify allowed origins instead of using "*" + when setting 'support_credentials=True'. + languages: + - python + severity: WARNING + patterns: + - pattern-either: + - pattern: | + @cross_origin(..., origins="*", supports_credentials=True, ...) + - pattern: | + CORS(..., supports_credentials=True, origins="*", ...) + - pattern: | + CORS(..., resources={"...": {...,"origins": "*", + "supports_credentials": True,...}}) + metadata: + category: security + subcategory: + - audit + cwe: + - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + confidence: LOW + likelihood: LOW + impact: HIGH + technology: + - flask + references: + - https://pypi.org/project/Flask-Cors/ + - https://flask-cors.readthedocs.io/en/latest/index.html diff --git a/python/flask/security/audit/flask-url-for-external-true.yaml b/python/flask/security/audit/flask-url-for-external-true.yaml index 14c244d9d7..bc84e7dd76 100644 --- a/python/flask/security/audit/flask-url-for-external-true.yaml +++ b/python/flask/security/audit/flask-url-for-external-true.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-673: External Influence of Sphere Definition' owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - flask diff --git a/python/flask/security/audit/hardcoded-config.yaml b/python/flask/security/audit/hardcoded-config.yaml index 1ba323db5e..00448878e9 100644 --- a/python/flask/security/audit/hardcoded-config.yaml +++ b/python/flask/security/audit/hardcoded-config.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values @@ -37,6 +38,7 @@ rules: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values @@ -61,6 +63,7 @@ rules: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values @@ -85,6 +88,7 @@ rules: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values diff --git a/python/flask/security/audit/render-template-string.yaml b/python/flask/security/audit/render-template-string.yaml index 1c2a581b52..8eb13bce81 100644 --- a/python/flask/security/audit/render-template-string.yaml +++ b/python/flask/security/audit/render-template-string.yaml @@ -6,6 +6,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html category: security diff --git a/python/flask/security/audit/secure-set-cookie.yaml b/python/flask/security/audit/secure-set-cookie.yaml index 9a29f48bcd..1cb3fa110b 100644 --- a/python/flask/security/audit/secure-set-cookie.yaml +++ b/python/flask/security/audit/secure-set-cookie.yaml @@ -24,6 +24,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie - https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options diff --git a/python/flask/security/audit/wtf-csrf-disabled.yaml b/python/flask/security/audit/wtf-csrf-disabled.yaml index 1ab95a47f6..4bcba1b740 100644 --- a/python/flask/security/audit/wtf-csrf-disabled.yaml +++ b/python/flask/security/audit/wtf-csrf-disabled.yaml @@ -9,6 +9,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://flask-wtf.readthedocs.io/en/1.2.x/csrf/ category: security diff --git a/python/flask/security/audit/xss/make-response-with-unknown-content.yaml b/python/flask/security/audit/xss/make-response-with-unknown-content.yaml index d9bf1dbf01..953b70025a 100644 --- a/python/flask/security/audit/xss/make-response-with-unknown-content.yaml +++ b/python/flask/security/audit/xss/make-response-with-unknown-content.yaml @@ -42,6 +42,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/python/flask/security/dangerous-template-string.yaml b/python/flask/security/dangerous-template-string.yaml index cc7e014f90..a930632229 100644 --- a/python/flask/security/dangerous-template-string.yaml +++ b/python/flask/security/dangerous-template-string.yaml @@ -9,6 +9,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html - https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti diff --git a/python/flask/security/injection/csv-writer-injection.yaml b/python/flask/security/injection/csv-writer-injection.yaml index 1ebacb47ea..4549bcc704 100644 --- a/python/flask/security/injection/csv-writer-injection.yaml +++ b/python/flask/security/injection/csv-writer-injection.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/raphaelm/defusedcsv - https://owasp.org/www-community/attacks/CSV_Injection diff --git a/python/flask/security/injection/os-system-injection.yaml b/python/flask/security/injection/os-system-injection.yaml index 432e2d8bc9..72afc956fa 100644 --- a/python/flask/security/injection/os-system-injection.yaml +++ b/python/flask/security/injection/os-system-injection.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security diff --git a/python/flask/security/injection/path-traversal-open.yaml b/python/flask/security/injection/path-traversal-open.yaml index e4ca846ccf..2827b76afd 100644 --- a/python/flask/security/injection/path-traversal-open.yaml +++ b/python/flask/security/injection/path-traversal-open.yaml @@ -13,6 +13,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security diff --git a/python/flask/security/injection/raw-html-concat.yaml b/python/flask/security/injection/raw-html-concat.yaml index dfff4caa37..6c24523512 100644 --- a/python/flask/security/injection/raw-html-concat.yaml +++ b/python/flask/security/injection/raw-html-concat.yaml @@ -17,6 +17,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - flask diff --git a/python/flask/security/injection/ssrf-requests.yaml b/python/flask/security/injection/ssrf-requests.yaml index d24a256237..36c9f4de93 100644 --- a/python/flask/security/injection/ssrf-requests.yaml +++ b/python/flask/security/injection/ssrf-requests.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security diff --git a/python/flask/security/injection/subprocess-injection.yaml b/python/flask/security/injection/subprocess-injection.yaml index cdbf6f6dfc..50c363f02f 100644 --- a/python/flask/security/injection/subprocess-injection.yaml +++ b/python/flask/security/injection/subprocess-injection.yaml @@ -73,6 +73,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: diff --git a/python/flask/security/injection/tainted-sql-string.yaml b/python/flask/security/injection/tainted-sql-string.yaml index 5ff2b89c51..0ae1bdf05c 100644 --- a/python/flask/security/injection/tainted-sql-string.yaml +++ b/python/flask/security/injection/tainted-sql-string.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm diff --git a/python/flask/security/injection/tainted-url-host.yaml b/python/flask/security/injection/tainted-url-host.yaml index 46e3f565b2..b6756d2966 100644 --- a/python/flask/security/injection/tainted-url-host.yaml +++ b/python/flask/security/injection/tainted-url-host.yaml @@ -15,6 +15,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security diff --git a/python/flask/security/injection/user-eval.yaml b/python/flask/security/injection/user-eval.yaml index e6e461dbb1..6f4bd983f6 100644 --- a/python/flask/security/injection/user-eval.yaml +++ b/python/flask/security/injection/user-eval.yaml @@ -9,6 +9,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html category: security diff --git a/python/flask/security/injection/user-exec.yaml b/python/flask/security/injection/user-exec.yaml index f15bb697f8..8efdc240e3 100644 --- a/python/flask/security/injection/user-exec.yaml +++ b/python/flask/security/injection/user-exec.yaml @@ -9,6 +9,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html category: security diff --git a/python/flask/security/insecure-deserialization.yaml b/python/flask/security/insecure-deserialization.yaml index 45e7325752..4d39ff6c01 100644 --- a/python/flask/security/insecure-deserialization.yaml +++ b/python/flask/security/insecure-deserialization.yaml @@ -4,6 +4,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/flask/security/open-redirect.yaml b/python/flask/security/open-redirect.yaml index 1993722d26..3c5017eba3 100644 --- a/python/flask/security/open-redirect.yaml +++ b/python/flask/security/open-redirect.yaml @@ -47,6 +47,7 @@ rules: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://flask-login.readthedocs.io/en/latest/#login-example - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1 diff --git a/python/flask/security/secure-static-file-serve.yaml b/python/flask/security/secure-static-file-serve.yaml index a42f55da1a..21839bd092 100644 --- a/python/flask/security/secure-static-file-serve.yaml +++ b/python/flask/security/secure-static-file-serve.yaml @@ -14,6 +14,7 @@ rules: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design category: security technology: - flask diff --git a/python/flask/security/unescaped-template-extension.yaml b/python/flask/security/unescaped-template-extension.yaml index ffd4652f90..8afae4abe3 100644 --- a/python/flask/security/unescaped-template-extension.yaml +++ b/python/flask/security/unescaped-template-extension.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://pypi.org/project/flake8-flask/ references: - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup diff --git a/python/flask/security/unsanitized-input.yaml b/python/flask/security/unsanitized-input.yaml index f125d63db1..f0197afff8 100644 --- a/python/flask/security/unsanitized-input.yaml +++ b/python/flask/security/unsanitized-input.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.0.x/security/ - https://owasp.org/www-community/attacks/xss/ diff --git a/python/flask/security/xss/audit/direct-use-of-jinja2.yaml b/python/flask/security/xss/audit/direct-use-of-jinja2.yaml index dfa6c9d24e..6d176ac797 100644 --- a/python/flask/security/xss/audit/direct-use-of-jinja2.yaml +++ b/python/flask/security/xss/audit/direct-use-of-jinja2.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security diff --git a/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml b/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml index d2bcf78e6a..8741fa7bee 100644 --- a/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml +++ b/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://tedboy.github.io/flask/generated/generated/flask.Markup.html category: security diff --git a/python/flask/security/xss/audit/template-autoescape-off.yaml b/python/flask/security/xss/audit/template-autoescape-off.yaml index 5e82866ca5..8543a5a35c 100644 --- a/python/flask/security/xss/audit/template-autoescape-off.yaml +++ b/python/flask/security/xss/audit/template-autoescape-off.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup diff --git a/python/flask/security/xss/audit/template-unescaped-with-safe.yaml b/python/flask/security/xss/audit/template-unescaped-with-safe.yaml index 73971051ed..dbb4b714ef 100644 --- a/python/flask/security/xss/audit/template-unescaped-with-safe.yaml +++ b/python/flask/security/xss/audit/template-unescaped-with-safe.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security diff --git a/python/flask/security/xss/audit/template-unquoted-attribute-var.yaml b/python/flask/security/xss/audit/template-unquoted-attribute-var.yaml index 4c05178bd6..b41a1523ef 100644 --- a/python/flask/security/xss/audit/template-unquoted-attribute-var.yaml +++ b/python/flask/security/xss/audit/template-unquoted-attribute-var.yaml @@ -10,6 +10,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security diff --git a/python/jinja2/security/audit/autoescape-disabled-false.yaml b/python/jinja2/security/audit/autoescape-disabled-false.yaml index b7113f5d7e..8e4841a320 100644 --- a/python/jinja2/security/audit/autoescape-disabled-false.yaml +++ b/python/jinja2/security/audit/autoescape-disabled-false.yaml @@ -19,6 +19,7 @@ rules: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security diff --git a/python/jinja2/security/audit/missing-autoescape-disabled.yaml b/python/jinja2/security/audit/missing-autoescape-disabled.yaml index f79886d18e..3d95141f32 100644 --- a/python/jinja2/security/audit/missing-autoescape-disabled.yaml +++ b/python/jinja2/security/audit/missing-autoescape-disabled.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security diff --git a/python/jwt/security/audit/jwt-exposed-data.yaml b/python/jwt/security/audit/jwt-exposed-data.yaml index a046af9b92..6db403ab43 100644 --- a/python/jwt/security/audit/jwt-exposed-data.yaml +++ b/python/jwt/security/audit/jwt-exposed-data.yaml @@ -8,6 +8,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ diff --git a/python/jwt/security/jwt-exposed-credentials.yaml b/python/jwt/security/jwt-exposed-credentials.yaml index 03a0abf566..091d5d25e5 100644 --- a/python/jwt/security/jwt-exposed-credentials.yaml +++ b/python/jwt/security/jwt-exposed-credentials.yaml @@ -8,6 +8,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ references: - https://cwe.mitre.org/data/definitions/522.html diff --git a/python/jwt/security/jwt-hardcode.yaml b/python/jwt/security/jwt-hardcode.yaml index d9a5434af7..3ec401f1a8 100644 --- a/python/jwt/security/jwt-hardcode.yaml +++ b/python/jwt/security/jwt-hardcode.yaml @@ -11,6 +11,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security diff --git a/python/jwt/security/jwt-none-alg.yaml b/python/jwt/security/jwt-none-alg.yaml index cbd0f271cd..1cd157f0f2 100644 --- a/python/jwt/security/jwt-none-alg.yaml +++ b/python/jwt/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/python/jwt/security/unverified-jwt-decode.yaml b/python/jwt/security/unverified-jwt-decode.yaml index 3452beb6b1..8e94cd03c9 100644 --- a/python/jwt/security/unverified-jwt-decode.yaml +++ b/python/jwt/security/unverified-jwt-decode.yaml @@ -28,6 +28,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' references: diff --git a/python/lang/security/audit/conn_recv.yaml b/python/lang/security/audit/conn_recv.yaml index 8bc43da152..50762d5c19 100644 --- a/python/lang/security/audit/conn_recv.yaml +++ b/python/lang/security/audit/conn_recv.yaml @@ -12,6 +12,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection category: security diff --git a/python/lang/security/audit/dangerous-annotations-usage.yaml b/python/lang/security/audit/dangerous-annotations-usage.yaml index 1825000ff9..4074a0c948 100644 --- a/python/lang/security/audit/dangerous-annotations-usage.yaml +++ b/python/lang/security/audit/dangerous-annotations-usage.yaml @@ -19,6 +19,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security references: - https://docs.python.org/3/library/typing.html#typing.get_type_hints diff --git a/python/lang/security/audit/dangerous-asyncio-create-exec-audit.yaml b/python/lang/security/audit/dangerous-asyncio-create-exec-audit.yaml index b5003d5946..b84fca6a0d 100644 --- a/python/lang/security/audit/dangerous-asyncio-create-exec-audit.yaml +++ b/python/lang/security/audit/dangerous-asyncio-create-exec-audit.yaml @@ -36,6 +36,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-asyncio-create-exec-tainted-env-args.yaml b/python/lang/security/audit/dangerous-asyncio-create-exec-tainted-env-args.yaml index d2951b2d24..41d5b230cb 100644 --- a/python/lang/security/audit/dangerous-asyncio-create-exec-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-asyncio-create-exec-tainted-env-args.yaml @@ -84,6 +84,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-asyncio-exec-audit.yaml b/python/lang/security/audit/dangerous-asyncio-exec-audit.yaml index 80d7ff4e33..a1d6490935 100644 --- a/python/lang/security/audit/dangerous-asyncio-exec-audit.yaml +++ b/python/lang/security/audit/dangerous-asyncio-exec-audit.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-asyncio-exec-tainted-env-args.yaml b/python/lang/security/audit/dangerous-asyncio-exec-tainted-env-args.yaml index 6c2fef3c9a..26e3cbaed3 100644 --- a/python/lang/security/audit/dangerous-asyncio-exec-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-asyncio-exec-tainted-env-args.yaml @@ -69,6 +69,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-asyncio-shell-audit.yaml b/python/lang/security/audit/dangerous-asyncio-shell-audit.yaml index 62e63488cf..acba8863f4 100644 --- a/python/lang/security/audit/dangerous-asyncio-shell-audit.yaml +++ b/python/lang/security/audit/dangerous-asyncio-shell-audit.yaml @@ -21,6 +21,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-asyncio-shell-tainted-env-args.yaml b/python/lang/security/audit/dangerous-asyncio-shell-tainted-env-args.yaml index 5dde1a6f08..bfc8725f37 100644 --- a/python/lang/security/audit/dangerous-asyncio-shell-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-asyncio-shell-tainted-env-args.yaml @@ -69,6 +69,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-code-run-audit.yaml b/python/lang/security/audit/dangerous-code-run-audit.yaml index f2f17bc5c8..96d76be677 100644 --- a/python/lang/security/audit/dangerous-code-run-audit.yaml +++ b/python/lang/security/audit/dangerous-code-run-audit.yaml @@ -39,6 +39,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/audit/dangerous-code-run-tainted-env-args.yaml b/python/lang/security/audit/dangerous-code-run-tainted-env-args.yaml index 9a4af7bde6..5b5c9e1a33 100644 --- a/python/lang/security/audit/dangerous-code-run-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-code-run-tainted-env-args.yaml @@ -89,6 +89,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/audit/dangerous-os-exec-audit.yaml b/python/lang/security/audit/dangerous-os-exec-audit.yaml index 51238ebc0c..4b54da5550 100644 --- a/python/lang/security/audit/dangerous-os-exec-audit.yaml +++ b/python/lang/security/audit/dangerous-os-exec-audit.yaml @@ -10,6 +10,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-os-exec-tainted-env-args.yaml b/python/lang/security/audit/dangerous-os-exec-tainted-env-args.yaml index 8311763f54..52db1b9f71 100644 --- a/python/lang/security/audit/dangerous-os-exec-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-os-exec-tainted-env-args.yaml @@ -87,6 +87,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-spawn-process-audit.yaml b/python/lang/security/audit/dangerous-spawn-process-audit.yaml index 3e09621b87..fb9f85c5d2 100644 --- a/python/lang/security/audit/dangerous-spawn-process-audit.yaml +++ b/python/lang/security/audit/dangerous-spawn-process-audit.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-spawn-process-tainted-env-args.yaml b/python/lang/security/audit/dangerous-spawn-process-tainted-env-args.yaml index 3b9d16fa17..c64ec421b0 100644 --- a/python/lang/security/audit/dangerous-spawn-process-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-spawn-process-tainted-env-args.yaml @@ -90,6 +90,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-subinterpreters-run-string-audit.yaml b/python/lang/security/audit/dangerous-subinterpreters-run-string-audit.yaml index b363da5954..18fb9d076f 100644 --- a/python/lang/security/audit/dangerous-subinterpreters-run-string-audit.yaml +++ b/python/lang/security/audit/dangerous-subinterpreters-run-string-audit.yaml @@ -15,6 +15,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://bugs.python.org/issue43472 - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ diff --git a/python/lang/security/audit/dangerous-subinterpreters-run-string-tainted-env-args.yaml b/python/lang/security/audit/dangerous-subinterpreters-run-string-tainted-env-args.yaml index b9a67dab23..1b2bbd5cfd 100644 --- a/python/lang/security/audit/dangerous-subinterpreters-run-string-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-subinterpreters-run-string-tainted-env-args.yaml @@ -64,6 +64,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://bugs.python.org/issue43472 - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ diff --git a/python/lang/security/audit/dangerous-subprocess-use-audit.yaml b/python/lang/security/audit/dangerous-subprocess-use-audit.yaml index 2ba8cf6902..75ef7c2437 100644 --- a/python/lang/security/audit/dangerous-subprocess-use-audit.yaml +++ b/python/lang/security/audit/dangerous-subprocess-use-audit.yaml @@ -47,6 +47,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml b/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml index c7b58315a8..50bfd5acb3 100644 --- a/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml @@ -88,6 +88,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/audit/dangerous-system-call-audit.yaml b/python/lang/security/audit/dangerous-system-call-audit.yaml index 68675725da..84e5728006 100644 --- a/python/lang/security/audit/dangerous-system-call-audit.yaml +++ b/python/lang/security/audit/dangerous-system-call-audit.yaml @@ -41,6 +41,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-system-call-tainted-env-args.yaml b/python/lang/security/audit/dangerous-system-call-tainted-env-args.yaml index fa934482ab..3f635752cf 100644 --- a/python/lang/security/audit/dangerous-system-call-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-system-call-tainted-env-args.yaml @@ -88,6 +88,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-audit.yaml b/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-audit.yaml index f268629ea4..8ea5d7c388 100644 --- a/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-audit.yaml +++ b/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-audit.yaml @@ -20,6 +20,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-tainted-env-args.yaml b/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-tainted-env-args.yaml index 20bc3c3165..993206f05b 100644 --- a/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-tainted-env-args.yaml +++ b/python/lang/security/audit/dangerous-testcapi-run-in-subinterp-tainted-env-args.yaml @@ -69,6 +69,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/audit/eval-detected.yaml b/python/lang/security/audit/eval-detected.yaml index 2050d79cd8..5fc9c988fd 100644 --- a/python/lang/security/audit/eval-detected.yaml +++ b/python/lang/security/audit/eval-detected.yaml @@ -15,6 +15,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features diff --git a/python/lang/security/audit/exec-detected.yaml b/python/lang/security/audit/exec-detected.yaml index a018893c58..702f8fdd96 100644 --- a/python/lang/security/audit/exec-detected.yaml +++ b/python/lang/security/audit/exec-detected.yaml @@ -14,6 +14,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features diff --git a/python/lang/security/audit/formatted-sql-query.yaml b/python/lang/security/audit/formatted-sql-query.yaml index adc48ae792..6df7ea7f69 100644 --- a/python/lang/security/audit/formatted-sql-query.yaml +++ b/python/lang/security/audit/formatted-sql-query.yaml @@ -6,6 +6,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" references: diff --git a/python/lang/security/audit/hardcoded-password-default-argument.yaml b/python/lang/security/audit/hardcoded-password-default-argument.yaml index b160cf3eee..714d55505d 100644 --- a/python/lang/security/audit/hardcoded-password-default-argument.yaml +++ b/python/lang/security/audit/hardcoded-password-default-argument.yaml @@ -21,6 +21,7 @@ rules: - python owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true diff --git a/python/lang/security/audit/httpsconnection-detected.yaml b/python/lang/security/audit/httpsconnection-detected.yaml index 16de1538fa..cec17c842b 100644 --- a/python/lang/security/audit/httpsconnection-detected.yaml +++ b/python/lang/security/audit/httpsconnection-detected.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-295: Improper Certificate Validation' references: diff --git a/python/lang/security/audit/insecure-file-permissions.yaml b/python/lang/security/audit/insecure-file-permissions.yaml index e3a8176ae7..7a4e84b144 100644 --- a/python/lang/security/audit/insecure-file-permissions.yaml +++ b/python/lang/security/audit/insecure-file-permissions.yaml @@ -6,6 +6,7 @@ rules: category: security owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-276: Incorrect Default Permissions' technology: diff --git a/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml b/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml index ee2fbaa4b6..679724de8b 100644 --- a/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml +++ b/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml @@ -23,6 +23,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/requests/request-session-http-in-with-context.yaml b/python/lang/security/audit/insecure-transport/requests/request-session-http-in-with-context.yaml index a5da482a56..ae48f9501d 100644 --- a/python/lang/security/audit/insecure-transport/requests/request-session-http-in-with-context.yaml +++ b/python/lang/security/audit/insecure-transport/requests/request-session-http-in-with-context.yaml @@ -36,6 +36,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' asvs: diff --git a/python/lang/security/audit/insecure-transport/requests/request-session-with-http.yaml b/python/lang/security/audit/insecure-transport/requests/request-session-with-http.yaml index e891e52831..e21224b8c0 100644 --- a/python/lang/security/audit/insecure-transport/requests/request-session-with-http.yaml +++ b/python/lang/security/audit/insecure-transport/requests/request-session-with-http.yaml @@ -35,6 +35,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' asvs: diff --git a/python/lang/security/audit/insecure-transport/requests/request-with-http.yaml b/python/lang/security/audit/insecure-transport/requests/request-with-http.yaml index 387261a981..a63ef71d0c 100644 --- a/python/lang/security/audit/insecure-transport/requests/request-with-http.yaml +++ b/python/lang/security/audit/insecure-transport/requests/request-with-http.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' asvs: diff --git a/python/lang/security/audit/insecure-transport/ssl/no-set-ciphers.yaml b/python/lang/security/audit/insecure-transport/ssl/no-set-ciphers.yaml index 0609b7dd65..1bc0efd476 100644 --- a/python/lang/security/audit/insecure-transport/ssl/no-set-ciphers.yaml +++ b/python/lang/security/audit/insecure-transport/ssl/no-set-ciphers.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' asvs: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open-ftp.yaml index cd1d5c83c9..9259fc8f49 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open-ftp.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open.yaml index 14edbfd7c8..5cba4981af 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-openerdirector-open.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-request-object-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-request-object-ftp.yaml index 2f4eff818b..89fb961108 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-request-object-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-request-object-ftp.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-request-object.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-request-object.yaml index 9a6c07ca5d..13abf0dff8 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-request-object.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-request-object.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen-ftp.yaml index 7d530bc600..e3ebd6e127 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen-ftp.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen.yaml index bd2d503313..4fb342fd4e 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopen.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open-ftp.yaml index 5a6ce8023d..0d066772d9 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open-ftp.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open.yaml index 70bcb9f143..d789199391 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-open.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve-ftp.yaml index 9d70987ae1..713f6e8036 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve-ftp.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve.yaml index 9963d4d25f..a4d96746f3 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlopener-retrieve.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve-ftp.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve-ftp.yaml index 3b0fd12f38..8494ff5827 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve-ftp.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve-ftp.yaml @@ -8,6 +8,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve.yaml b/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve.yaml index 8661c03941..02c996a740 100644 --- a/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve.yaml +++ b/python/lang/security/audit/insecure-transport/urllib/insecure-urlretrieve.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/python/lang/security/audit/logging/listeneval.yaml b/python/lang/security/audit/logging/listeneval.yaml index a979ba768f..f39f359127 100644 --- a/python/lang/security/audit/logging/listeneval.yaml +++ b/python/lang/security/audit/logging/listeneval.yaml @@ -16,6 +16,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen category: security diff --git a/python/lang/security/audit/logging/logger-credential-leak.yaml b/python/lang/security/audit/logging/logger-credential-leak.yaml index 98d75a550e..7ce34779c1 100644 --- a/python/lang/security/audit/logging/logger-credential-leak.yaml +++ b/python/lang/security/audit/logging/logger-credential-leak.yaml @@ -27,6 +27,7 @@ rules: - python owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures references: - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures subcategory: diff --git a/python/lang/security/audit/mako-templates-detected.yaml b/python/lang/security/audit/mako-templates-detected.yaml index ddce3c1344..542787e9a4 100644 --- a/python/lang/security/audit/mako-templates-detected.yaml +++ b/python/lang/security/audit/mako-templates-detected.yaml @@ -13,6 +13,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py references: - https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping diff --git a/python/lang/security/audit/marshal.yaml b/python/lang/security/audit/marshal.yaml index d568930eff..fe55f9d9b1 100644 --- a/python/lang/security/audit/marshal.yaml +++ b/python/lang/security/audit/marshal.yaml @@ -13,6 +13,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures references: - https://docs.python.org/3/library/marshal.html?highlight=security category: security diff --git a/python/lang/security/audit/md5-used-as-password.yaml b/python/lang/security/audit/md5-used-as-password.yaml index 7a14901160..f07373a922 100644 --- a/python/lang/security/audit/md5-used-as-password.yaml +++ b/python/lang/security/audit/md5-used-as-password.yaml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://tools.ietf.org/html/rfc6151 - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision diff --git a/python/lang/security/audit/network/bind.yaml b/python/lang/security/audit/network/bind.yaml index 2bf54f8e05..8db246e2db 100644 --- a/python/lang/security/audit/network/bind.yaml +++ b/python/lang/security/audit/network/bind.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - python diff --git a/python/lang/security/audit/network/disabled-cert-validation.yaml b/python/lang/security/audit/network/disabled-cert-validation.yaml index 9225713eef..9db3cca7fd 100644 --- a/python/lang/security/audit/network/disabled-cert-validation.yaml +++ b/python/lang/security/audit/network/disabled-cert-validation.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures category: security technology: - python diff --git a/python/lang/security/audit/network/http-not-https-connection.yaml b/python/lang/security/audit/network/http-not-https-connection.yaml index b629e87095..f38ec89766 100644 --- a/python/lang/security/audit/network/http-not-https-connection.yaml +++ b/python/lang/security/audit/network/http-not-https-connection.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool category: security diff --git a/python/lang/security/audit/non-literal-import.yaml b/python/lang/security/audit/non-literal-import.yaml index 33f5a9f212..e2a540b433 100644 --- a/python/lang/security/audit/non-literal-import.yaml +++ b/python/lang/security/audit/non-literal-import.yaml @@ -13,6 +13,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' category: security diff --git a/python/lang/security/audit/paramiko-implicit-trust-host-key.yaml b/python/lang/security/audit/paramiko-implicit-trust-host-key.yaml index 0764ca55bc..1125130523 100644 --- a/python/lang/security/audit/paramiko-implicit-trust-host-key.yaml +++ b/python/lang/security/audit/paramiko-implicit-trust-host-key.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-322: Key Exchange without Entity Authentication' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/ssh_no_host_key_verification.py references: - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy diff --git a/python/lang/security/audit/paramiko/paramiko-exec-command.yaml b/python/lang/security/audit/paramiko/paramiko-exec-command.yaml index 953d974950..7165e9cd48 100644 --- a/python/lang/security/audit/paramiko/paramiko-exec-command.yaml +++ b/python/lang/security/audit/paramiko/paramiko-exec-command.yaml @@ -15,6 +15,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: diff --git a/python/lang/security/audit/sha224-hash.yaml b/python/lang/security/audit/sha224-hash.yaml index eca7c4f36f..35ae1d12ec 100644 --- a/python/lang/security/audit/sha224-hash.yaml +++ b/python/lang/security/audit/sha224-hash.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography diff --git a/python/lang/security/audit/sqli/aiopg-sqli.yaml b/python/lang/security/audit/sqli/aiopg-sqli.yaml index 3fd93dd3b4..6376c3637d 100644 --- a/python/lang/security/audit/sqli/aiopg-sqli.yaml +++ b/python/lang/security/audit/sqli/aiopg-sqli.yaml @@ -20,6 +20,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/python/lang/security/audit/sqli/asyncpg-sqli.yaml b/python/lang/security/audit/sqli/asyncpg-sqli.yaml index 45f88f9e15..b28e305d43 100644 --- a/python/lang/security/audit/sqli/asyncpg-sqli.yaml +++ b/python/lang/security/audit/sqli/asyncpg-sqli.yaml @@ -23,6 +23,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/python/lang/security/audit/sqli/pg8000-sqli.yaml b/python/lang/security/audit/sqli/pg8000-sqli.yaml index 583a53be4e..635d66b7aa 100644 --- a/python/lang/security/audit/sqli/pg8000-sqli.yaml +++ b/python/lang/security/audit/sqli/pg8000-sqli.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/python/lang/security/audit/sqli/psycopg-sqli.yaml b/python/lang/security/audit/sqli/psycopg-sqli.yaml index 6ae774afd2..1d263297f6 100644 --- a/python/lang/security/audit/sqli/psycopg-sqli.yaml +++ b/python/lang/security/audit/sqli/psycopg-sqli.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/python/lang/security/audit/ssl-wrap-socket-is-deprecated.yaml b/python/lang/security/audit/ssl-wrap-socket-is-deprecated.yaml index db98dba67b..2f7bb47271 100644 --- a/python/lang/security/audit/ssl-wrap-socket-is-deprecated.yaml +++ b/python/lang/security/audit/ssl-wrap-socket-is-deprecated.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://docs.python.org/3/library/ssl.html#ssl.wrap_socket - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket diff --git a/python/lang/security/audit/subprocess-list-passed-as-string.yaml b/python/lang/security/audit/subprocess-list-passed-as-string.yaml index 6687372db9..b2a44c10fa 100644 --- a/python/lang/security/audit/subprocess-list-passed-as-string.yaml +++ b/python/lang/security/audit/subprocess-list-passed-as-string.yaml @@ -33,6 +33,7 @@ rules: - "https://docs.python.org/3/library/subprocess.html#frequently-used-arguments" owasp: - A03:2021 - Injection + - A05:2025 - Injection technology: - python confidence: LOW diff --git a/python/lang/security/audit/subprocess-shell-true.yaml b/python/lang/security/audit/subprocess-shell-true.yaml index 8f70e34a86..08893d6f59 100644 --- a/python/lang/security/audit/subprocess-shell-true.yaml +++ b/python/lang/security/audit/subprocess-shell-true.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: diff --git a/python/lang/security/audit/telnetlib.yaml b/python/lang/security/audit/telnetlib.yaml index faa9e95708..de1e4e2c3d 100644 --- a/python/lang/security/audit/telnetlib.yaml +++ b/python/lang/security/audit/telnetlib.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B312 references: - https://docs.python.org/3/library/telnetlib.html diff --git a/python/lang/security/audit/weak-ssl-version.yaml b/python/lang/security/audit/weak-ssl-version.yaml index ebdda66f0e..d1a9a77e0a 100644 --- a/python/lang/security/audit/weak-ssl-version.yaml +++ b/python/lang/security/audit/weak-ssl-version.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/insecure_ssl_tls.py#L30 asvs: section: V9 Communications Verification Requirements diff --git a/python/lang/security/dangerous-code-run.yaml b/python/lang/security/dangerous-code-run.yaml index 3aec7b987a..2d48a8cb72 100644 --- a/python/lang/security/dangerous-code-run.yaml +++ b/python/lang/security/dangerous-code-run.yaml @@ -140,6 +140,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/dangerous-globals-use.yaml b/python/lang/security/dangerous-globals-use.yaml index c8f3e96d06..2f4f6fd7c5 100644 --- a/python/lang/security/dangerous-globals-use.yaml +++ b/python/lang/security/dangerous-globals-use.yaml @@ -39,6 +39,7 @@ rules: - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186 category: security diff --git a/python/lang/security/dangerous-os-exec.yaml b/python/lang/security/dangerous-os-exec.yaml index 7da2b204c7..8d35a471f6 100644 --- a/python/lang/security/dangerous-os-exec.yaml +++ b/python/lang/security/dangerous-os-exec.yaml @@ -138,6 +138,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/dangerous-spawn-process.yaml b/python/lang/security/dangerous-spawn-process.yaml index 2b85a2d7fc..81c4ed7569 100644 --- a/python/lang/security/dangerous-spawn-process.yaml +++ b/python/lang/security/dangerous-spawn-process.yaml @@ -184,6 +184,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/dangerous-subinterpreters-run-string.yaml b/python/lang/security/dangerous-subinterpreters-run-string.yaml index 2a6e28aeb7..11cd539dcf 100644 --- a/python/lang/security/dangerous-subinterpreters-run-string.yaml +++ b/python/lang/security/dangerous-subinterpreters-run-string.yaml @@ -115,6 +115,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://bugs.python.org/issue43472 - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ diff --git a/python/lang/security/dangerous-subprocess-use.yaml b/python/lang/security/dangerous-subprocess-use.yaml index d626a05a02..c94ecd7cad 100644 --- a/python/lang/security/dangerous-subprocess-use.yaml +++ b/python/lang/security/dangerous-subprocess-use.yaml @@ -137,6 +137,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" asvs: diff --git a/python/lang/security/dangerous-system-call.yaml b/python/lang/security/dangerous-system-call.yaml index abf9e9b175..ff0dc8216d 100644 --- a/python/lang/security/dangerous-system-call.yaml +++ b/python/lang/security/dangerous-system-call.yaml @@ -142,6 +142,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: diff --git a/python/lang/security/dangerous-testcapi-run-in-subinterp.yaml b/python/lang/security/dangerous-testcapi-run-in-subinterp.yaml index 11371a57f7..e96c5750c1 100644 --- a/python/lang/security/dangerous-testcapi-run-in-subinterp.yaml +++ b/python/lang/security/dangerous-testcapi-run-in-subinterp.yaml @@ -120,6 +120,7 @@ rules: - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security diff --git a/python/lang/security/deserialization/avoid-jsonpickle.yaml b/python/lang/security/deserialization/avoid-jsonpickle.yaml index 283015e4fa..dac87bea4c 100644 --- a/python/lang/security/deserialization/avoid-jsonpickle.yaml +++ b/python/lang/security/deserialization/avoid-jsonpickle.yaml @@ -9,6 +9,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/lang/security/deserialization/avoid-pyyaml-load.yaml b/python/lang/security/deserialization/avoid-pyyaml-load.yaml index 067e8eb3ae..5def88adb0 100644 --- a/python/lang/security/deserialization/avoid-pyyaml-load.yaml +++ b/python/lang/security/deserialization/avoid-pyyaml-load.yaml @@ -4,6 +4,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/lang/security/deserialization/avoid-unsafe-ruamel.yaml b/python/lang/security/deserialization/avoid-unsafe-ruamel.yaml index 0063cca5fd..2c35f1c98c 100644 --- a/python/lang/security/deserialization/avoid-unsafe-ruamel.yaml +++ b/python/lang/security/deserialization/avoid-unsafe-ruamel.yaml @@ -4,6 +4,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/lang/security/deserialization/pickle.yaml b/python/lang/security/deserialization/pickle.yaml index f0e7f87448..a83709e112 100644 --- a/python/lang/security/deserialization/pickle.yaml +++ b/python/lang/security/deserialization/pickle.yaml @@ -4,6 +4,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: @@ -37,6 +38,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: @@ -67,6 +69,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: @@ -98,6 +101,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: diff --git a/python/lang/security/insecure-hash-algorithms-md5.yaml b/python/lang/security/insecure-hash-algorithms-md5.yaml index 6813c16478..63b32f9402 100644 --- a/python/lang/security/insecure-hash-algorithms-md5.yaml +++ b/python/lang/security/insecure-hash-algorithms-md5.yaml @@ -14,6 +14,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B303 asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/python/lang/security/insecure-hash-algorithms.yaml b/python/lang/security/insecure-hash-algorithms.yaml index c9d5ef9dcb..3f9da37dbc 100644 --- a/python/lang/security/insecure-hash-algorithms.yaml +++ b/python/lang/security/insecure-hash-algorithms.yaml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B303 asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/python/lang/security/insecure-hash-function.yaml b/python/lang/security/insecure-hash-function.yaml index 5179a9806e..028db5caee 100644 --- a/python/lang/security/insecure-hash-function.yaml +++ b/python/lang/security/insecure-hash-function.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/hashlib_new_insecure_functions.py asvs: section: V6 Stored Cryptography Verification Requirements diff --git a/python/lang/security/insecure-uuid-version.yaml b/python/lang/security/insecure-uuid-version.yaml index 00d78f516e..64932afb31 100644 --- a/python/lang/security/insecure-uuid-version.yaml +++ b/python/lang/security/insecure-uuid-version.yaml @@ -11,6 +11,7 @@ rules: - 'CWE-330: Use of Insufficiently Random Values' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.3.2 Insecure UUID Generation diff --git a/python/lang/security/unverified-ssl-context.yaml b/python/lang/security/unverified-ssl-context.yaml index 64f6ea2cc6..16a31af900 100644 --- a/python/lang/security/unverified-ssl-context.yaml +++ b/python/lang/security/unverified-ssl-context.yaml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-295: Improper Certificate Validation' references: diff --git a/python/lang/security/use-defused-xml-parse.yaml b/python/lang/security/use-defused-xml-parse.yaml index d3f0d50ce4..d075ab036a 100644 --- a/python/lang/security/use-defused-xml-parse.yaml +++ b/python/lang/security/use-defused-xml-parse.yaml @@ -4,6 +4,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' references: diff --git a/python/lang/security/use-defused-xml.yaml b/python/lang/security/use-defused-xml.yaml index 5441aa5ba7..7be7d6f435 100644 --- a/python/lang/security/use-defused-xml.yaml +++ b/python/lang/security/use-defused-xml.yaml @@ -4,6 +4,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' references: diff --git a/python/lang/security/use-defused-xmlrpc.yaml b/python/lang/security/use-defused-xmlrpc.yaml index e371551230..c5372b93e4 100644 --- a/python/lang/security/use-defused-xmlrpc.yaml +++ b/python/lang/security/use-defused-xmlrpc.yaml @@ -13,6 +13,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160 references: - https://pypi.org/project/defusedxml/ diff --git a/python/lang/security/use-defusedcsv.yaml b/python/lang/security/use-defusedcsv.yaml index 4f97e33656..13e5d8d124 100644 --- a/python/lang/security/use-defusedcsv.yaml +++ b/python/lang/security/use-defusedcsv.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://github.com/raphaelm/defusedcsv - https://owasp.org/www-community/attacks/CSV_Injection diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml index ca469bb89c..cfdb86d429 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml index 47e5c8c1d3..91d7ca046d 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml index 1d44b94805..beb6c10e82 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml index 15696a01cf..7857de56dc 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html diff --git a/python/pycryptodome/security/insecure-cipher-algorithm.yaml b/python/pycryptodome/security/insecure-cipher-algorithm.yaml index edf8af8d9e..6bcc3c40bf 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml index 1b7ce5e433..9118455cbc 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml index ac6066ff9f..12d7bcab3a 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml index b40715f924..9da1f50766 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html diff --git a/python/pycryptodome/security/insecure-hash-algorithm.yaml b/python/pycryptodome/security/insecure-hash-algorithm.yaml index 176280bbb8..f9c4d27ca4 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm.yaml @@ -11,6 +11,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability diff --git a/python/pycryptodome/security/insufficient-dsa-key-size.yaml b/python/pycryptodome/security/insufficient-dsa-key-size.yaml index 5624f80d82..064f72d357 100644 --- a/python/pycryptodome/security/insufficient-dsa-key-size.yaml +++ b/python/pycryptodome/security/insufficient-dsa-key-size.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://www.pycryptodome.org/src/public_key/dsa diff --git a/python/pycryptodome/security/insufficient-rsa-key-size.yaml b/python/pycryptodome/security/insufficient-rsa-key-size.yaml index 6649825afc..bf1a4ec67e 100644 --- a/python/pycryptodome/security/insufficient-rsa-key-size.yaml +++ b/python/pycryptodome/security/insufficient-rsa-key-size.yaml @@ -9,6 +9,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://www.pycryptodome.org/src/public_key/rsa#rsa diff --git a/python/pycryptodome/security/mode-without-authentication.yaml b/python/pycryptodome/security/mode-without-authentication.yaml index 521c1c776b..e524d92ac6 100644 --- a/python/pycryptodome/security/mode-without-authentication.yaml +++ b/python/pycryptodome/security/mode-without-authentication.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: diff --git a/python/pyramid/audit/authtkt-cookie-httponly-unsafe-default.yaml b/python/pyramid/audit/authtkt-cookie-httponly-unsafe-default.yaml index 7267fdf747..17245d6ac5 100644 --- a/python/pyramid/audit/authtkt-cookie-httponly-unsafe-default.yaml +++ b/python/pyramid/audit/authtkt-cookie-httponly-unsafe-default.yaml @@ -22,6 +22,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/authtkt-cookie-httponly-unsafe-value.yaml b/python/pyramid/audit/authtkt-cookie-httponly-unsafe-value.yaml index d8820b61f7..1de2a3a4ae 100644 --- a/python/pyramid/audit/authtkt-cookie-httponly-unsafe-value.yaml +++ b/python/pyramid/audit/authtkt-cookie-httponly-unsafe-value.yaml @@ -25,6 +25,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/authtkt-cookie-samesite.yaml b/python/pyramid/audit/authtkt-cookie-samesite.yaml index 74099d0ad0..ed4694dd81 100644 --- a/python/pyramid/audit/authtkt-cookie-samesite.yaml +++ b/python/pyramid/audit/authtkt-cookie-samesite.yaml @@ -20,6 +20,7 @@ rules: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - pyramid diff --git a/python/pyramid/audit/authtkt-cookie-secure-unsafe-default.yaml b/python/pyramid/audit/authtkt-cookie-secure-unsafe-default.yaml index 7bccab07ec..aa3cfd55cc 100644 --- a/python/pyramid/audit/authtkt-cookie-secure-unsafe-default.yaml +++ b/python/pyramid/audit/authtkt-cookie-secure-unsafe-default.yaml @@ -23,6 +23,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/authtkt-cookie-secure-unsafe-value.yaml b/python/pyramid/audit/authtkt-cookie-secure-unsafe-value.yaml index f1ef5338a6..b51e055215 100644 --- a/python/pyramid/audit/authtkt-cookie-secure-unsafe-value.yaml +++ b/python/pyramid/audit/authtkt-cookie-secure-unsafe-value.yaml @@ -25,6 +25,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/csrf-check-disabled.yaml b/python/pyramid/audit/csrf-check-disabled.yaml index a7908ecad4..ffd70b7f24 100644 --- a/python/pyramid/audit/csrf-check-disabled.yaml +++ b/python/pyramid/audit/csrf-check-disabled.yaml @@ -6,6 +6,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control asvs: section: V4 Access Control control_id: 4.2.2 CSRF diff --git a/python/pyramid/audit/csrf-origin-check-disabled-globally.yaml b/python/pyramid/audit/csrf-origin-check-disabled-globally.yaml index 9fd6d59a0d..8773d2ff3a 100644 --- a/python/pyramid/audit/csrf-origin-check-disabled-globally.yaml +++ b/python/pyramid/audit/csrf-origin-check-disabled-globally.yaml @@ -22,6 +22,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - pyramid diff --git a/python/pyramid/audit/csrf-origin-check-disabled.yaml b/python/pyramid/audit/csrf-origin-check-disabled.yaml index 750e244f69..13b27c671a 100644 --- a/python/pyramid/audit/csrf-origin-check-disabled.yaml +++ b/python/pyramid/audit/csrf-origin-check-disabled.yaml @@ -8,6 +8,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control asvs: section: V4 Access Control control_id: 4.2.2 CSRF diff --git a/python/pyramid/audit/set-cookie-httponly-unsafe-default.yaml b/python/pyramid/audit/set-cookie-httponly-unsafe-default.yaml index dc153d9ed5..a2c48d018b 100644 --- a/python/pyramid/audit/set-cookie-httponly-unsafe-default.yaml +++ b/python/pyramid/audit/set-cookie-httponly-unsafe-default.yaml @@ -29,6 +29,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/set-cookie-httponly-unsafe-value.yaml b/python/pyramid/audit/set-cookie-httponly-unsafe-value.yaml index d65c46a3e2..e07e06db56 100644 --- a/python/pyramid/audit/set-cookie-httponly-unsafe-value.yaml +++ b/python/pyramid/audit/set-cookie-httponly-unsafe-value.yaml @@ -32,6 +32,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://owasp.org/www-community/controls/SecureCookieAttribute - https://owasp.org/www-community/HttpOnly diff --git a/python/pyramid/audit/set-cookie-samesite-unsafe-default.yaml b/python/pyramid/audit/set-cookie-samesite-unsafe-default.yaml index bafb0bacc1..206dbe1cbe 100644 --- a/python/pyramid/audit/set-cookie-samesite-unsafe-default.yaml +++ b/python/pyramid/audit/set-cookie-samesite-unsafe-default.yaml @@ -29,6 +29,7 @@ rules: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - pyramid diff --git a/python/pyramid/audit/set-cookie-samesite-unsafe-value.yaml b/python/pyramid/audit/set-cookie-samesite-unsafe-value.yaml index 9678a42ff8..afa0344f42 100644 --- a/python/pyramid/audit/set-cookie-samesite-unsafe-value.yaml +++ b/python/pyramid/audit/set-cookie-samesite-unsafe-value.yaml @@ -31,6 +31,7 @@ rules: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - pyramid diff --git a/python/pyramid/audit/set-cookie-secure-unsafe-default.yaml b/python/pyramid/audit/set-cookie-secure-unsafe-default.yaml index f77016a089..c469527af3 100644 --- a/python/pyramid/audit/set-cookie-secure-unsafe-default.yaml +++ b/python/pyramid/audit/set-cookie-secure-unsafe-default.yaml @@ -29,6 +29,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/audit/set-cookie-secure-unsafe-value.yaml b/python/pyramid/audit/set-cookie-secure-unsafe-value.yaml index fdc73189f8..a65ae86679 100644 --- a/python/pyramid/audit/set-cookie-secure-unsafe-value.yaml +++ b/python/pyramid/audit/set-cookie-secure-unsafe-value.yaml @@ -32,6 +32,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - pyramid diff --git a/python/pyramid/security/csrf-check-disabled-globally.yaml b/python/pyramid/security/csrf-check-disabled-globally.yaml index 167d28239e..d8e73a9866 100644 --- a/python/pyramid/security/csrf-check-disabled-globally.yaml +++ b/python/pyramid/security/csrf-check-disabled-globally.yaml @@ -21,6 +21,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - pyramid diff --git a/python/pyramid/security/direct-use-of-response.yaml b/python/pyramid/security/direct-use-of-response.yaml index 2522cf10f4..4d06dc0eed 100644 --- a/python/pyramid/security/direct-use-of-response.yaml +++ b/python/pyramid/security/direct-use-of-response.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - pyramid diff --git a/python/pyramid/security/sqlalchemy-sql-injection.yaml b/python/pyramid/security/sqlalchemy-sql-injection.yaml index c23d2bee78..4af2b97318 100644 --- a/python/pyramid/security/sqlalchemy-sql-injection.yaml +++ b/python/pyramid/security/sqlalchemy-sql-injection.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data technology: diff --git a/python/requests/security/disabled-cert-validation.yaml b/python/requests/security/disabled-cert-validation.yaml index 298c36b53a..890eb31fa5 100644 --- a/python/requests/security/disabled-cert-validation.yaml +++ b/python/requests/security/disabled-cert-validation.yaml @@ -10,6 +10,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib category: security diff --git a/python/requests/security/no-auth-over-http.yaml b/python/requests/security/no-auth-over-http.yaml index 5060e6b7a7..b33be40749 100644 --- a/python/requests/security/no-auth-over-http.yaml +++ b/python/requests/security/no-auth-over-http.yaml @@ -15,6 +15,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://pypi.org/project/flake8-flask/ references: - https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/ diff --git a/python/sh/security/string-concat.yaml b/python/sh/security/string-concat.yaml index ad26350d19..2ffd9259c3 100644 --- a/python/sh/security/string-concat.yaml +++ b/python/sh/security/string-concat.yaml @@ -12,6 +12,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - sh diff --git a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml index 0af6538758..4165ff0c92 100644 --- a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml +++ b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml @@ -40,6 +40,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" category: security diff --git a/python/sqlalchemy/security/sqlalchemy-execute-raw-query.yaml b/python/sqlalchemy/security/sqlalchemy-execute-raw-query.yaml index 52ffd881e4..10fc1d5270 100644 --- a/python/sqlalchemy/security/sqlalchemy-execute-raw-query.yaml +++ b/python/sqlalchemy/security/sqlalchemy-execute-raw-query.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm diff --git a/python/sqlalchemy/security/sqlalchemy-sql-injection.yaml b/python/sqlalchemy/security/sqlalchemy-sql-injection.yaml index cc2850f63e..1183878e0c 100644 --- a/python/sqlalchemy/security/sqlalchemy-sql-injection.yaml +++ b/python/sqlalchemy/security/sqlalchemy-sql-injection.yaml @@ -47,6 +47,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/python/twilio/security/twiml-injection.yaml b/python/twilio/security/twiml-injection.yaml index 7f63099166..7e03da238a 100644 --- a/python/twilio/security/twiml-injection.yaml +++ b/python/twilio/security/twiml-injection.yaml @@ -10,6 +10,7 @@ rules: - "CWE-91: XML Injection" owasp: - "A03:2021 - Injection" + - A05:2025 - Injection category: security technology: - python @@ -18,7 +19,8 @@ rules: confidence: MEDIUM likelihood: HIGH impact: MEDIUM - subcategory: vuln + subcategory: + - vuln references: - https://codeberg.org/fennix/funjection mode: taint diff --git a/ruby/aws-lambda/security/activerecord-sqli.yaml b/ruby/aws-lambda/security/activerecord-sqli.yaml index 8229938dfc..20ace0a817 100644 --- a/ruby/aws-lambda/security/activerecord-sqli.yaml +++ b/ruby/aws-lambda/security/activerecord-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/ruby/aws-lambda/security/mysql2-sqli.yaml b/ruby/aws-lambda/security/mysql2-sqli.yaml index 56172d9d29..4337da91d3 100644 --- a/ruby/aws-lambda/security/mysql2-sqli.yaml +++ b/ruby/aws-lambda/security/mysql2-sqli.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/ruby/aws-lambda/security/pg-sqli.yaml b/ruby/aws-lambda/security/pg-sqli.yaml index 5846886fad..1fd8ea3e15 100644 --- a/ruby/aws-lambda/security/pg-sqli.yaml +++ b/ruby/aws-lambda/security/pg-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/ruby/aws-lambda/security/sequel-sqli.yaml b/ruby/aws-lambda/security/sequel-sqli.yaml index 5e3924649f..cd46464d8c 100644 --- a/ruby/aws-lambda/security/sequel-sqli.yaml +++ b/ruby/aws-lambda/security/sequel-sqli.yaml @@ -17,6 +17,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/ruby/aws-lambda/security/tainted-deserialization.yaml b/ruby/aws-lambda/security/tainted-deserialization.yaml index ea6d9809ce..acf6756889 100644 --- a/ruby/aws-lambda/security/tainted-deserialization.yaml +++ b/ruby/aws-lambda/security/tainted-deserialization.yaml @@ -19,6 +19,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' technology: diff --git a/ruby/aws-lambda/security/tainted-sql-string.yaml b/ruby/aws-lambda/security/tainted-sql-string.yaml index 77487ad365..c0a9653ad5 100644 --- a/ruby/aws-lambda/security/tainted-sql-string.yaml +++ b/ruby/aws-lambda/security/tainted-sql-string.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" technology: diff --git a/ruby/jwt/security/audit/jwt-decode-without-verify.yaml b/ruby/jwt/security/audit/jwt-decode-without-verify.yaml index fce7793522..69038d0842 100644 --- a/ruby/jwt/security/audit/jwt-decode-without-verify.yaml +++ b/ruby/jwt/security/audit/jwt-decode-without-verify.yaml @@ -10,6 +10,7 @@ rules: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/ruby/jwt/security/audit/jwt-exposed-data.yaml b/ruby/jwt/security/audit/jwt-exposed-data.yaml index e943209727..ca9cb9bb44 100644 --- a/ruby/jwt/security/audit/jwt-exposed-data.yaml +++ b/ruby/jwt/security/audit/jwt-exposed-data.yaml @@ -8,6 +8,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ diff --git a/ruby/jwt/security/jwt-exposed-credentials.yaml b/ruby/jwt/security/jwt-exposed-credentials.yaml index 6fd79358f8..b4b6d79198 100644 --- a/ruby/jwt/security/jwt-exposed-credentials.yaml +++ b/ruby/jwt/security/jwt-exposed-credentials.yaml @@ -8,6 +8,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ references: - https://cwe.mitre.org/data/definitions/522.html diff --git a/ruby/jwt/security/jwt-hardcode.yaml b/ruby/jwt/security/jwt-hardcode.yaml index 65f44392f3..f331991b60 100644 --- a/ruby/jwt/security/jwt-hardcode.yaml +++ b/ruby/jwt/security/jwt-hardcode.yaml @@ -11,6 +11,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/ruby/jwt/security/jwt-none-alg.yaml b/ruby/jwt/security/jwt-none-alg.yaml index 93eb7a3f2f..211e838a8a 100644 --- a/ruby/jwt/security/jwt-none-alg.yaml +++ b/ruby/jwt/security/jwt-none-alg.yaml @@ -12,6 +12,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: diff --git a/ruby/lang/security/audit/sha224-hash.yaml b/ruby/lang/security/audit/sha224-hash.yaml index 760679459f..432f580447 100644 --- a/ruby/lang/security/audit/sha224-hash.yaml +++ b/ruby/lang/security/audit/sha224-hash.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/ruby/lang/security/bad-deserialization-env.yaml b/ruby/lang/security/bad-deserialization-env.yaml index 652d8a0d83..708148be9e 100644 --- a/ruby/lang/security/bad-deserialization-env.yaml +++ b/ruby/lang/security/bad-deserialization-env.yaml @@ -31,6 +31,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures technology: - ruby cwe2022-top25: true diff --git a/ruby/lang/security/bad-deserialization-yaml.yaml b/ruby/lang/security/bad-deserialization-yaml.yaml index bf403557bf..f4ea7fe7eb 100644 --- a/ruby/lang/security/bad-deserialization-yaml.yaml +++ b/ruby/lang/security/bad-deserialization-yaml.yaml @@ -50,6 +50,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/lang/security/bad-deserialization.yaml b/ruby/lang/security/bad-deserialization.yaml index dc0236e132..e9992d1918 100644 --- a/ruby/lang/security/bad-deserialization.yaml +++ b/ruby/lang/security/bad-deserialization.yaml @@ -32,6 +32,7 @@ rules: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures technology: - ruby cwe2022-top25: true diff --git a/ruby/lang/security/cookie-serialization.yaml b/ruby/lang/security/cookie-serialization.yaml index 5b662cbd52..efe3e3c2d7 100644 --- a/ruby/lang/security/cookie-serialization.yaml +++ b/ruby/lang/security/cookie-serialization.yaml @@ -16,6 +16,7 @@ rules: - ruby owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/ruby/lang/security/create-with.yaml b/ruby/lang/security/create-with.yaml index 6e6a282c8c..92c4dc731c 100644 --- a/ruby/lang/security/create-with.yaml +++ b/ruby/lang/security/create-with.yaml @@ -22,6 +22,7 @@ rules: - ruby owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW diff --git a/ruby/lang/security/dangerous-exec.yaml b/ruby/lang/security/dangerous-exec.yaml index c85e51f682..071be96618 100644 --- a/ruby/lang/security/dangerous-exec.yaml +++ b/ruby/lang/security/dangerous-exec.yaml @@ -36,6 +36,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - ruby diff --git a/ruby/lang/security/dangerous-open.yaml b/ruby/lang/security/dangerous-open.yaml index 47a6bedc35..20c83e94ad 100644 --- a/ruby/lang/security/dangerous-open.yaml +++ b/ruby/lang/security/dangerous-open.yaml @@ -18,6 +18,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - ruby diff --git a/ruby/lang/security/dangerous-open3-pipeline.yaml b/ruby/lang/security/dangerous-open3-pipeline.yaml index 17e9bb52ce..310f7bd017 100644 --- a/ruby/lang/security/dangerous-open3-pipeline.yaml +++ b/ruby/lang/security/dangerous-open3-pipeline.yaml @@ -18,6 +18,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - ruby diff --git a/ruby/lang/security/dangerous-subshell.yaml b/ruby/lang/security/dangerous-subshell.yaml index 4a4c402814..b927c07ba2 100644 --- a/ruby/lang/security/dangerous-subshell.yaml +++ b/ruby/lang/security/dangerous-subshell.yaml @@ -18,6 +18,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - ruby diff --git a/ruby/lang/security/dangerous-syscall.yaml b/ruby/lang/security/dangerous-syscall.yaml index 2ad6d980ca..e1667a11b2 100644 --- a/ruby/lang/security/dangerous-syscall.yaml +++ b/ruby/lang/security/dangerous-syscall.yaml @@ -10,6 +10,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - ruby diff --git a/ruby/lang/security/file-disclosure.yaml b/ruby/lang/security/file-disclosure.yaml index ed7bd6c790..9dfffdbb4a 100644 --- a/ruby/lang/security/file-disclosure.yaml +++ b/ruby/lang/security/file-disclosure.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/lang/security/filter-skipping.yaml b/ruby/lang/security/filter-skipping.yaml index c16baaa678..70d4e03a9a 100644 --- a/ruby/lang/security/filter-skipping.yaml +++ b/ruby/lang/security/filter-skipping.yaml @@ -22,6 +22,7 @@ rules: - ruby owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/ruby/lang/security/force-ssl-false.yaml b/ruby/lang/security/force-ssl-false.yaml index c7b60e5dad..47b8049bfa 100644 --- a/ruby/lang/security/force-ssl-false.yaml +++ b/ruby/lang/security/force-ssl-false.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW diff --git a/ruby/lang/security/hardcoded-http-auth-in-controller.yaml b/ruby/lang/security/hardcoded-http-auth-in-controller.yaml index 9409f95369..5ba29d4667 100644 --- a/ruby/lang/security/hardcoded-http-auth-in-controller.yaml +++ b/ruby/lang/security/hardcoded-http-auth-in-controller.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-798: Use of Hard-coded Credentials' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown diff --git a/ruby/lang/security/hardcoded-secret-rsa-passphrase.yaml b/ruby/lang/security/hardcoded-secret-rsa-passphrase.yaml index 3e489992c3..bfae694441 100644 --- a/ruby/lang/security/hardcoded-secret-rsa-passphrase.yaml +++ b/ruby/lang/security/hardcoded-secret-rsa-passphrase.yaml @@ -18,6 +18,7 @@ rules: - 'CWE-798: Use of Hard-coded Credentials' owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/lang/security/insufficient-rsa-key-size.yaml b/ruby/lang/security/insufficient-rsa-key-size.yaml index 75082e9126..86cba69128 100644 --- a/ruby/lang/security/insufficient-rsa-key-size.yaml +++ b/ruby/lang/security/insufficient-rsa-key-size.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: HIGH diff --git a/ruby/lang/security/json-entity-escape.yaml b/ruby/lang/security/json-entity-escape.yaml index da6d0e519b..d761a9a7d9 100644 --- a/ruby/lang/security/json-entity-escape.yaml +++ b/ruby/lang/security/json-entity-escape.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/ruby/lang/security/mass-assignment-protection-disabled.yaml b/ruby/lang/security/mass-assignment-protection-disabled.yaml index a69c9a64d5..8301502330 100644 --- a/ruby/lang/security/mass-assignment-protection-disabled.yaml +++ b/ruby/lang/security/mass-assignment-protection-disabled.yaml @@ -12,6 +12,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/mass_assignment/index.markdown category: security technology: diff --git a/ruby/lang/security/md5-used-as-password.yaml b/ruby/lang/security/md5-used-as-password.yaml index dabffa916b..7ae92e66a7 100644 --- a/ruby/lang/security/md5-used-as-password.yaml +++ b/ruby/lang/security/md5-used-as-password.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' subcategory: diff --git a/ruby/lang/security/missing-csrf-protection.yaml b/ruby/lang/security/missing-csrf-protection.yaml index 484e6c37e1..fa0760aa7b 100644 --- a/ruby/lang/security/missing-csrf-protection.yaml +++ b/ruby/lang/security/missing-csrf-protection.yaml @@ -25,6 +25,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown category: security technology: diff --git a/ruby/lang/security/model-attr-accessible.yaml b/ruby/lang/security/model-attr-accessible.yaml index d1a1cebedb..55a7b82a0f 100644 --- a/ruby/lang/security/model-attr-accessible.yaml +++ b/ruby/lang/security/model-attr-accessible.yaml @@ -17,6 +17,7 @@ rules: - ruby owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW diff --git a/ruby/lang/security/model-attributes-attr-accessible.yaml b/ruby/lang/security/model-attributes-attr-accessible.yaml index ae83fd9b71..4ff9ddef49 100644 --- a/ruby/lang/security/model-attributes-attr-accessible.yaml +++ b/ruby/lang/security/model-attributes-attr-accessible.yaml @@ -32,6 +32,7 @@ rules: category: security owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' technology: diff --git a/ruby/lang/security/no-eval.yaml b/ruby/lang/security/no-eval.yaml index 1b553009e8..411bb85f28 100644 --- a/ruby/lang/security/no-eval.yaml +++ b/ruby/lang/security/no-eval.yaml @@ -17,6 +17,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_evaluation.rb diff --git a/ruby/lang/security/no-send.yaml b/ruby/lang/security/no-send.yaml index 47788888ff..f646e1dbdf 100644 --- a/ruby/lang/security/no-send.yaml +++ b/ruby/lang/security/no-send.yaml @@ -17,6 +17,7 @@ rules: - ruby owasp: - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true subcategory: - audit diff --git a/ruby/lang/security/ssl-mode-no-verify.yaml b/ruby/lang/security/ssl-mode-no-verify.yaml index 8fb5518554..a37e307b55 100644 --- a/ruby/lang/security/ssl-mode-no-verify.yaml +++ b/ruby/lang/security/ssl-mode-no-verify.yaml @@ -20,6 +20,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures subcategory: diff --git a/ruby/lang/security/unprotected-mass-assign.yaml b/ruby/lang/security/unprotected-mass-assign.yaml index f7207d89f1..4299f6405a 100644 --- a/ruby/lang/security/unprotected-mass-assign.yaml +++ b/ruby/lang/security/unprotected-mass-assign.yaml @@ -20,6 +20,7 @@ rules: metadata: owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: diff --git a/ruby/lang/security/weak-hashes-md5.yaml b/ruby/lang/security/weak-hashes-md5.yaml index 35910be37a..862e382f3f 100644 --- a/ruby/lang/security/weak-hashes-md5.yaml +++ b/ruby/lang/security/weak-hashes-md5.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/ruby/lang/security/weak-hashes-sha1.yaml b/ruby/lang/security/weak-hashes-sha1.yaml index 0342a892b0..4196e3d714 100644 --- a/ruby/lang/security/weak-hashes-sha1.yaml +++ b/ruby/lang/security/weak-hashes-sha1.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/ruby/rails/security/audit/avoid-session-manipulation.yaml b/ruby/rails/security/audit/avoid-session-manipulation.yaml index 26567a1528..973d5643fb 100644 --- a/ruby/rails/security/audit/avoid-session-manipulation.yaml +++ b/ruby/rails/security/audit/avoid-session-manipulation.yaml @@ -5,6 +5,7 @@ rules: tags: [security] owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-276: Incorrect Default Permissions' references: diff --git a/ruby/rails/security/audit/avoid-tainted-file-access.yaml b/ruby/rails/security/audit/avoid-tainted-file-access.yaml index fbf647e4f9..6855dcaa74 100644 --- a/ruby/rails/security/audit/avoid-tainted-file-access.yaml +++ b/ruby/rails/security/audit/avoid-tainted-file-access.yaml @@ -4,6 +4,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" references: diff --git a/ruby/rails/security/audit/avoid-tainted-ftp-call.yaml b/ruby/rails/security/audit/avoid-tainted-ftp-call.yaml index 35eb3d6df7..f42323179c 100644 --- a/ruby/rails/security/audit/avoid-tainted-ftp-call.yaml +++ b/ruby/rails/security/audit/avoid-tainted-ftp-call.yaml @@ -4,6 +4,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" references: diff --git a/ruby/rails/security/audit/avoid-tainted-http-request.yaml b/ruby/rails/security/audit/avoid-tainted-http-request.yaml index c1a646b496..a4d2f08ece 100644 --- a/ruby/rails/security/audit/avoid-tainted-http-request.yaml +++ b/ruby/rails/security/audit/avoid-tainted-http-request.yaml @@ -3,6 +3,7 @@ rules: metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' references: diff --git a/ruby/rails/security/audit/avoid-tainted-shell-call.yaml b/ruby/rails/security/audit/avoid-tainted-shell-call.yaml index bc30240490..517819737e 100644 --- a/ruby/rails/security/audit/avoid-tainted-shell-call.yaml +++ b/ruby/rails/security/audit/avoid-tainted-shell-call.yaml @@ -4,6 +4,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: diff --git a/ruby/rails/security/audit/detailed-exceptions.yaml b/ruby/rails/security/audit/detailed-exceptions.yaml index 3c5a83941f..4b7f8d9c32 100644 --- a/ruby/rails/security/audit/detailed-exceptions.yaml +++ b/ruby/rails/security/audit/detailed-exceptions.yaml @@ -3,6 +3,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_detailed_exceptions.rb diff --git a/ruby/rails/security/audit/rails-skip-forgery-protection.yaml b/ruby/rails/security/audit/rails-skip-forgery-protection.yaml index cd0d40029f..2ccbfe4ae2 100644 --- a/ruby/rails/security/audit/rails-skip-forgery-protection.yaml +++ b/ruby/rails/security/audit/rails-skip-forgery-protection.yaml @@ -15,6 +15,7 @@ rules: - https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/sqli/ruby-pg-sqli.yaml b/ruby/rails/security/audit/sqli/ruby-pg-sqli.yaml index a02d5504b5..234a9aba88 100644 --- a/ruby/rails/security/audit/sqli/ruby-pg-sqli.yaml +++ b/ruby/rails/security/audit/sqli/ruby-pg-sqli.yaml @@ -48,6 +48,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.rubydoc.info/gems/pg/PG/Connection category: security diff --git a/ruby/rails/security/audit/xss/avoid-content-tag.yaml b/ruby/rails/security/audit/xss/avoid-content-tag.yaml index 72e0755217..113c91b34e 100644 --- a/ruby/rails/security/audit/xss/avoid-content-tag.yaml +++ b/ruby/rails/security/audit/xss/avoid-content-tag.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/avoid-default-routes.yaml b/ruby/rails/security/audit/xss/avoid-default-routes.yaml index 2542a594f1..ace8775160 100644 --- a/ruby/rails/security/audit/xss/avoid-default-routes.yaml +++ b/ruby/rails/security/audit/xss/avoid-default-routes.yaml @@ -3,6 +3,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-276: Incorrect Default Permissions' references: diff --git a/ruby/rails/security/audit/xss/avoid-html-safe.yaml b/ruby/rails/security/audit/xss/avoid-html-safe.yaml index 930c1dc77f..6808239b5e 100644 --- a/ruby/rails/security/audit/xss/avoid-html-safe.yaml +++ b/ruby/rails/security/audit/xss/avoid-html-safe.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/avoid-link-to.yaml b/ruby/rails/security/audit/xss/avoid-link-to.yaml index 921cb524b1..5f2f2a2344 100644 --- a/ruby/rails/security/audit/xss/avoid-link-to.yaml +++ b/ruby/rails/security/audit/xss/avoid-link-to.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/avoid-raw.yaml b/ruby/rails/security/audit/xss/avoid-raw.yaml index 221a91c688..ee7521971a 100644 --- a/ruby/rails/security/audit/xss/avoid-raw.yaml +++ b/ruby/rails/security/audit/xss/avoid-raw.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/avoid-redirect.yaml b/ruby/rails/security/audit/xss/avoid-redirect.yaml index a94ca86999..2df5cccd5d 100644 --- a/ruby/rails/security/audit/xss/avoid-redirect.yaml +++ b/ruby/rails/security/audit/xss/avoid-redirect.yaml @@ -3,6 +3,7 @@ rules: metadata: owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" references: diff --git a/ruby/rails/security/audit/xss/avoid-render-dynamic-path.yaml b/ruby/rails/security/audit/xss/avoid-render-dynamic-path.yaml index b9e87979e6..33b33a2ffa 100644 --- a/ruby/rails/security/audit/xss/avoid-render-dynamic-path.yaml +++ b/ruby/rails/security/audit/xss/avoid-render-dynamic-path.yaml @@ -4,6 +4,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" references: diff --git a/ruby/rails/security/audit/xss/avoid-render-inline.yaml b/ruby/rails/security/audit/xss/avoid-render-inline.yaml index 077487b55c..dbb947fa30 100644 --- a/ruby/rails/security/audit/xss/avoid-render-inline.yaml +++ b/ruby/rails/security/audit/xss/avoid-render-inline.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/avoid-render-text.yaml b/ruby/rails/security/audit/xss/avoid-render-text.yaml index f0f63fb58b..0d4cce31f6 100644 --- a/ruby/rails/security/audit/xss/avoid-render-text.yaml +++ b/ruby/rails/security/audit/xss/avoid-render-text.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/manual-template-creation.yaml b/ruby/rails/security/audit/xss/manual-template-creation.yaml index 91293fb392..255715ffae 100644 --- a/ruby/rails/security/audit/xss/manual-template-creation.yaml +++ b/ruby/rails/security/audit/xss/manual-template-creation.yaml @@ -5,6 +5,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" references: diff --git a/ruby/rails/security/audit/xss/templates/alias-for-html-safe.yaml b/ruby/rails/security/audit/xss/templates/alias-for-html-safe.yaml index 38346d36b7..88d2fd331e 100644 --- a/ruby/rails/security/audit/xss/templates/alias-for-html-safe.yaml +++ b/ruby/rails/security/audit/xss/templates/alias-for-html-safe.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/xss/templates/avoid-content-tag.yaml b/ruby/rails/security/audit/xss/templates/avoid-content-tag.yaml index 77a45ca6ad..b829e8becc 100644 --- a/ruby/rails/security/audit/xss/templates/avoid-content-tag.yaml +++ b/ruby/rails/security/audit/xss/templates/avoid-content-tag.yaml @@ -18,6 +18,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/xss/templates/avoid-html-safe.yaml b/ruby/rails/security/audit/xss/templates/avoid-html-safe.yaml index 2f4b6ce139..67d45d2ac2 100644 --- a/ruby/rails/security/audit/xss/templates/avoid-html-safe.yaml +++ b/ruby/rails/security/audit/xss/templates/avoid-html-safe.yaml @@ -19,6 +19,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/xss/templates/avoid-raw.yaml b/ruby/rails/security/audit/xss/templates/avoid-raw.yaml index ba7a951a77..e49f01cc7f 100644 --- a/ruby/rails/security/audit/xss/templates/avoid-raw.yaml +++ b/ruby/rails/security/audit/xss/templates/avoid-raw.yaml @@ -19,6 +19,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/xss/templates/dangerous-link-to.yaml b/ruby/rails/security/audit/xss/templates/dangerous-link-to.yaml index 909ba9e0ab..f4ee72e827 100644 --- a/ruby/rails/security/audit/xss/templates/dangerous-link-to.yaml +++ b/ruby/rails/security/audit/xss/templates/dangerous-link-to.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss - https://brakemanscanner.org/docs/warning_types/link_to_href/ diff --git a/ruby/rails/security/audit/xss/templates/unquoted-attribute.yaml b/ruby/rails/security/audit/xss/templates/unquoted-attribute.yaml index ebe3c7e8c4..fdca99978c 100644 --- a/ruby/rails/security/audit/xss/templates/unquoted-attribute.yaml +++ b/ruby/rails/security/audit/xss/templates/unquoted-attribute.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss diff --git a/ruby/rails/security/audit/xss/templates/var-in-href.yaml b/ruby/rails/security/audit/xss/templates/var-in-href.yaml index 73e1310f4f..f742f03783 100644 --- a/ruby/rails/security/audit/xss/templates/var-in-href.yaml +++ b/ruby/rails/security/audit/xss/templates/var-in-href.yaml @@ -14,6 +14,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI - https://github.com/pugjs/pug/issues/2952 diff --git a/ruby/rails/security/audit/xss/templates/var-in-script-tag.yaml b/ruby/rails/security/audit/xss/templates/var-in-script-tag.yaml index 6fb471016e..f36bdb4da3 100644 --- a/ruby/rails/security/audit/xss/templates/var-in-script-tag.yaml +++ b/ruby/rails/security/audit/xss/templates/var-in-script-tag.yaml @@ -22,6 +22,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/ruby/rails/security/audit/xxe/libxml-backend.yaml b/ruby/rails/security/audit/xxe/libxml-backend.yaml index 6d4a1ae860..dfb1c38810 100644 --- a/ruby/rails/security/audit/xxe/libxml-backend.yaml +++ b/ruby/rails/security/audit/xxe/libxml-backend.yaml @@ -20,6 +20,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration confidence: LOW cwe2022-top25: true cwe2021-top25: true diff --git a/ruby/rails/security/audit/xxe/xml-external-entities-enabled.yaml b/ruby/rails/security/audit/xxe/xml-external-entities-enabled.yaml index 52ed1321e2..5c4b817584 100644 --- a/ruby/rails/security/audit/xxe/xml-external-entities-enabled.yaml +++ b/ruby/rails/security/audit/xxe/xml-external-entities-enabled.yaml @@ -32,6 +32,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration confidence: LOW cwe2022-top25: true cwe2021-top25: true diff --git a/ruby/rails/security/brakeman/check-before-filter.yaml b/ruby/rails/security/brakeman/check-before-filter.yaml index 15fe88121c..41ddad6601 100644 --- a/ruby/rails/security/brakeman/check-before-filter.yaml +++ b/ruby/rails/security/brakeman/check-before-filter.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-cookie-store-session-security-attributes.yaml b/ruby/rails/security/brakeman/check-cookie-store-session-security-attributes.yaml index 8f933d9c8a..15609b9c0d 100644 --- a/ruby/rails/security/brakeman/check-cookie-store-session-security-attributes.yaml +++ b/ruby/rails/security/brakeman/check-cookie-store-session-security-attributes.yaml @@ -26,6 +26,7 @@ rules: - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-dynamic-render-local-file-include.yaml b/ruby/rails/security/brakeman/check-dynamic-render-local-file-include.yaml index 8251bdaf06..86fd777eaa 100644 --- a/ruby/rails/security/brakeman/check-dynamic-render-local-file-include.yaml +++ b/ruby/rails/security/brakeman/check-dynamic-render-local-file-include.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb references: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion diff --git a/ruby/rails/security/brakeman/check-http-verb-confusion.yaml b/ruby/rails/security/brakeman/check-http-verb-confusion.yaml index 03d60e19b4..e8550b8be2 100644 --- a/ruby/rails/security/brakeman/check-http-verb-confusion.yaml +++ b/ruby/rails/security/brakeman/check-http-verb-confusion.yaml @@ -26,6 +26,7 @@ rules: - 'CWE-650: Trusting HTTP Permission Methods on the Server Side' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-permit-attributes-high.yaml b/ruby/rails/security/brakeman/check-permit-attributes-high.yaml index c5dd9d1fbc..2513eea7c5 100644 --- a/ruby/rails/security/brakeman/check-permit-attributes-high.yaml +++ b/ruby/rails/security/brakeman/check-permit-attributes-high.yaml @@ -17,6 +17,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-permit-attributes-medium.yaml b/ruby/rails/security/brakeman/check-permit-attributes-medium.yaml index e91f5cb717..e415742da8 100644 --- a/ruby/rails/security/brakeman/check-permit-attributes-medium.yaml +++ b/ruby/rails/security/brakeman/check-permit-attributes-medium.yaml @@ -17,6 +17,7 @@ rules: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-rails-secret-yaml.yaml b/ruby/rails/security/brakeman/check-rails-secret-yaml.yaml index ba07f94cdb..d297f2e10e 100644 --- a/ruby/rails/security/brakeman/check-rails-secret-yaml.yaml +++ b/ruby/rails/security/brakeman/check-rails-secret-yaml.yaml @@ -30,6 +30,7 @@ rules: - 'CWE-540: Inclusion of Sensitive Information in Source Code' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-rails-session-secret-handling.yaml b/ruby/rails/security/brakeman/check-rails-session-secret-handling.yaml index e1f9784bd3..e55a0a16d5 100644 --- a/ruby/rails/security/brakeman/check-rails-session-secret-handling.yaml +++ b/ruby/rails/security/brakeman/check-rails-session-secret-handling.yaml @@ -28,6 +28,7 @@ rules: - 'CWE-540: Inclusion of Sensitive Information in Source Code' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-redirect-to.yaml b/ruby/rails/security/brakeman/check-redirect-to.yaml index 88ab62a4f6..c62d98df07 100644 --- a/ruby/rails/security/brakeman/check-redirect-to.yaml +++ b/ruby/rails/security/brakeman/check-redirect-to.yaml @@ -72,6 +72,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM diff --git a/ruby/rails/security/brakeman/check-render-local-file-include.yaml b/ruby/rails/security/brakeman/check-render-local-file-include.yaml index a0ee415c2c..b33672b8e0 100644 --- a/ruby/rails/security/brakeman/check-render-local-file-include.yaml +++ b/ruby/rails/security/brakeman/check-render-local-file-include.yaml @@ -46,6 +46,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb references: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion diff --git a/ruby/rails/security/brakeman/check-secrets.yaml b/ruby/rails/security/brakeman/check-secrets.yaml index 7efae988e2..161a207769 100644 --- a/ruby/rails/security/brakeman/check-secrets.yaml +++ b/ruby/rails/security/brakeman/check-secrets.yaml @@ -23,6 +23,7 @@ rules: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_secrets.rb references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html diff --git a/ruby/rails/security/brakeman/check-send-file.yaml b/ruby/rails/security/brakeman/check-send-file.yaml index bf895da8fa..5c362e676d 100644 --- a/ruby/rails/security/brakeman/check-send-file.yaml +++ b/ruby/rails/security/brakeman/check-send-file.yaml @@ -31,6 +31,7 @@ rules: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-sql.yaml b/ruby/rails/security/brakeman/check-sql.yaml index a470e5813a..e370d38c12 100644 --- a/ruby/rails/security/brakeman/check-sql.yaml +++ b/ruby/rails/security/brakeman/check-sql.yaml @@ -74,6 +74,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml index edbe2cf3c7..16f84d41b3 100644 --- a/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml +++ b/ruby/rails/security/brakeman/check-unsafe-reflection-methods.yaml @@ -46,6 +46,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-unsafe-reflection.yaml b/ruby/rails/security/brakeman/check-unsafe-reflection.yaml index cbd6c5b530..7ee837bc3d 100644 --- a/ruby/rails/security/brakeman/check-unsafe-reflection.yaml +++ b/ruby/rails/security/brakeman/check-unsafe-reflection.yaml @@ -41,6 +41,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-unscoped-find.yaml b/ruby/rails/security/brakeman/check-unscoped-find.yaml index 1143278358..53c837f385 100644 --- a/ruby/rails/security/brakeman/check-unscoped-find.yaml +++ b/ruby/rails/security/brakeman/check-unscoped-find.yaml @@ -38,6 +38,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - ruby - rails diff --git a/ruby/rails/security/brakeman/check-validation-regex.yaml b/ruby/rails/security/brakeman/check-validation-regex.yaml index 53b472e214..67a721d02b 100644 --- a/ruby/rails/security/brakeman/check-validation-regex.yaml +++ b/ruby/rails/security/brakeman/check-validation-regex.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - ruby - rails diff --git a/ruby/rails/security/injection/raw-html-format.yaml b/ruby/rails/security/injection/raw-html-format.yaml index fb9e474612..a3f7e79833 100644 --- a/ruby/rails/security/injection/raw-html-format.yaml +++ b/ruby/rails/security/injection/raw-html-format.yaml @@ -16,6 +16,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - rails diff --git a/ruby/rails/security/injection/tainted-sql-string.yaml b/ruby/rails/security/injection/tainted-sql-string.yaml index 14f9c3753c..bce63fba1b 100644 --- a/ruby/rails/security/injection/tainted-sql-string.yaml +++ b/ruby/rails/security/injection/tainted-sql-string.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - rails diff --git a/ruby/rails/security/injection/tainted-url-host.yaml b/ruby/rails/security/injection/tainted-url-host.yaml index 6e48ac8203..2e0ade779e 100644 --- a/ruby/rails/security/injection/tainted-url-host.yaml +++ b/ruby/rails/security/injection/tainted-url-host.yaml @@ -17,6 +17,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - rails diff --git a/scala/jwt-scala/security/jwt-scala-hardcode.yaml b/scala/jwt-scala/security/jwt-scala-hardcode.yaml index 9a34da8fc9..5cafd9883d 100644 --- a/scala/jwt-scala/security/jwt-scala-hardcode.yaml +++ b/scala/jwt-scala/security/jwt-scala-hardcode.yaml @@ -73,6 +73,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design technology: - scala confidence: HIGH diff --git a/scala/lang/security/audit/dangerous-seq-run.yaml b/scala/lang/security/audit/dangerous-seq-run.yaml index c49deeea07..93e2db61f4 100644 --- a/scala/lang/security/audit/dangerous-seq-run.yaml +++ b/scala/lang/security/audit/dangerous-seq-run.yaml @@ -27,6 +27,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala confidence: LOW diff --git a/scala/lang/security/audit/dangerous-shell-run.yaml b/scala/lang/security/audit/dangerous-shell-run.yaml index a2dd55cac2..189e57f794 100644 --- a/scala/lang/security/audit/dangerous-shell-run.yaml +++ b/scala/lang/security/audit/dangerous-shell-run.yaml @@ -30,6 +30,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala confidence: LOW diff --git a/scala/lang/security/audit/dispatch-ssrf.yaml b/scala/lang/security/audit/dispatch-ssrf.yaml index 92085d8ba6..41a6542ea9 100644 --- a/scala/lang/security/audit/dispatch-ssrf.yaml +++ b/scala/lang/security/audit/dispatch-ssrf.yaml @@ -26,6 +26,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://dispatchhttp.org/Dispatch.html diff --git a/scala/lang/security/audit/documentbuilder-dtd-enabled.yaml b/scala/lang/security/audit/documentbuilder-dtd-enabled.yaml index 69870af687..2380ebce5c 100644 --- a/scala/lang/security/audit/documentbuilder-dtd-enabled.yaml +++ b/scala/lang/security/audit/documentbuilder-dtd-enabled.yaml @@ -71,6 +71,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: diff --git a/scala/lang/security/audit/insecure-random.yaml b/scala/lang/security/audit/insecure-random.yaml index ccd39f6e4c..4a4a2793ca 100644 --- a/scala/lang/security/audit/insecure-random.yaml +++ b/scala/lang/security/audit/insecure-random.yaml @@ -5,6 +5,7 @@ rules: - 'CWE-330: Use of Insufficiently Random Values' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - scala diff --git a/scala/lang/security/audit/io-source-ssrf.yaml b/scala/lang/security/audit/io-source-ssrf.yaml index 7f8dc4d367..81036dadab 100644 --- a/scala/lang/security/audit/io-source-ssrf.yaml +++ b/scala/lang/security/audit/io-source-ssrf.yaml @@ -28,6 +28,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource diff --git a/scala/lang/security/audit/path-traversal-fromfile.yaml b/scala/lang/security/audit/path-traversal-fromfile.yaml index 20f5fef5f7..dfe315b040 100644 --- a/scala/lang/security/audit/path-traversal-fromfile.yaml +++ b/scala/lang/security/audit/path-traversal-fromfile.yaml @@ -6,6 +6,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - scala diff --git a/scala/lang/security/audit/rsa-padding-set.yaml b/scala/lang/security/audit/rsa-padding-set.yaml index a32c94bc8b..f1c293b54f 100644 --- a/scala/lang/security/audit/rsa-padding-set.yaml +++ b/scala/lang/security/audit/rsa-padding-set.yaml @@ -5,6 +5,7 @@ rules: - 'CWE-780: Use of RSA Algorithm without OAEP' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - scala diff --git a/scala/lang/security/audit/sax-dtd-enabled.yaml b/scala/lang/security/audit/sax-dtd-enabled.yaml index 39d10c2a30..db93c5473a 100644 --- a/scala/lang/security/audit/sax-dtd-enabled.yaml +++ b/scala/lang/security/audit/sax-dtd-enabled.yaml @@ -56,6 +56,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: diff --git a/scala/lang/security/audit/scala-dangerous-process-run.yaml b/scala/lang/security/audit/scala-dangerous-process-run.yaml index 71262e0f6e..25212768e5 100644 --- a/scala/lang/security/audit/scala-dangerous-process-run.yaml +++ b/scala/lang/security/audit/scala-dangerous-process-run.yaml @@ -40,6 +40,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala confidence: LOW diff --git a/scala/lang/security/audit/scalaj-http-ssrf.yaml b/scala/lang/security/audit/scalaj-http-ssrf.yaml index 04f93c0978..4a76c82871 100644 --- a/scala/lang/security/audit/scalaj-http-ssrf.yaml +++ b/scala/lang/security/audit/scalaj-http-ssrf.yaml @@ -26,6 +26,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://github.com/scalaj/scalaj-http#simplified-http diff --git a/scala/lang/security/audit/scalajs-eval.yaml b/scala/lang/security/audit/scalajs-eval.yaml index 2c90204f78..9e4f7c4953 100644 --- a/scala/lang/security/audit/scalajs-eval.yaml +++ b/scala/lang/security/audit/scalajs-eval.yaml @@ -37,6 +37,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection category: security technology: - scala diff --git a/scala/lang/security/audit/tainted-sql-string.yaml b/scala/lang/security/audit/tainted-sql-string.yaml index dd64028a40..e3d9968153 100644 --- a/scala/lang/security/audit/tainted-sql-string.yaml +++ b/scala/lang/security/audit/tainted-sql-string.yaml @@ -15,6 +15,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security diff --git a/scala/lang/security/audit/xmlinputfactory-dtd-enabled.yaml b/scala/lang/security/audit/xmlinputfactory-dtd-enabled.yaml index 15f1bfa746..5b3b23c7a3 100644 --- a/scala/lang/security/audit/xmlinputfactory-dtd-enabled.yaml +++ b/scala/lang/security/audit/xmlinputfactory-dtd-enabled.yaml @@ -23,6 +23,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: diff --git a/scala/play/security/conf-csrf-headers-bypass.yaml b/scala/play/security/conf-csrf-headers-bypass.yaml index 8892b6f573..eba6962e73 100644 --- a/scala/play/security/conf-csrf-headers-bypass.yaml +++ b/scala/play/security/conf-csrf-headers-bypass.yaml @@ -62,6 +62,7 @@ rules: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control category: security technology: - scala diff --git a/scala/play/security/conf-insecure-cookie-settings.yaml b/scala/play/security/conf-insecure-cookie-settings.yaml index 3a67f4208f..f612fdfde2 100644 --- a/scala/play/security/conf-insecure-cookie-settings.yaml +++ b/scala/play/security/conf-insecure-cookie-settings.yaml @@ -29,6 +29,7 @@ rules: - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration confidence: MEDIUM subcategory: - vuln diff --git a/scala/play/security/tainted-html-response.yaml b/scala/play/security/tainted-html-response.yaml index d383b9ceff..32d6f1ebf6 100644 --- a/scala/play/security/tainted-html-response.yaml +++ b/scala/play/security/tainted-html-response.yaml @@ -8,6 +8,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection technology: - scala - play diff --git a/scala/play/security/tainted-slick-sqli.yaml b/scala/play/security/tainted-slick-sqli.yaml index 0adee4c941..e1d9b985af 100644 --- a/scala/play/security/tainted-slick-sqli.yaml +++ b/scala/play/security/tainted-slick-sqli.yaml @@ -11,6 +11,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala - slick diff --git a/scala/play/security/tainted-sql-from-http-request.yaml b/scala/play/security/tainted-sql-from-http-request.yaml index f1a363d271..89bf80b639 100644 --- a/scala/play/security/tainted-sql-from-http-request.yaml +++ b/scala/play/security/tainted-sql-from-http-request.yaml @@ -16,6 +16,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security diff --git a/scala/play/security/twirl-html-var.yaml b/scala/play/security/twirl-html-var.yaml index a84334e656..6c4ef8ba24 100644 --- a/scala/play/security/twirl-html-var.yaml +++ b/scala/play/security/twirl-html-var.yaml @@ -29,6 +29,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.playframework.com/documentation/2.8.x/ScalaTemplates#Escaping technology: diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml index 93423165d7..27e565163c 100644 --- a/scala/play/security/webservice-ssrf.yaml +++ b/scala/play/security/webservice-ssrf.yaml @@ -35,6 +35,7 @@ rules: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://www.playframework.com/documentation/2.8.x/ScalaWS diff --git a/scala/scala-jwt/security/jwt-hardcode.yaml b/scala/scala-jwt/security/jwt-hardcode.yaml index 37833b909a..bf3174cb70 100644 --- a/scala/scala-jwt/security/jwt-hardcode.yaml +++ b/scala/scala-jwt/security/jwt-hardcode.yaml @@ -14,6 +14,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ technology: - jwt diff --git a/scala/slick/security/scala-slick-overrideSql-literal.yaml b/scala/slick/security/scala-slick-overrideSql-literal.yaml index 4dfd09c04c..319f19764f 100644 --- a/scala/slick/security/scala-slick-overrideSql-literal.yaml +++ b/scala/slick/security/scala-slick-overrideSql-literal.yaml @@ -19,6 +19,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala - slick diff --git a/scala/slick/security/scala-slick-sql-non-literal.yaml b/scala/slick/security/scala-slick-sql-non-literal.yaml index 131a166287..bb57686074 100644 --- a/scala/slick/security/scala-slick-sql-non-literal.yaml +++ b/scala/slick/security/scala-slick-sql-non-literal.yaml @@ -22,6 +22,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - scala - slick diff --git a/solidity/security/arbitrary-send-erc20.yaml b/solidity/security/arbitrary-send-erc20.yaml index ec7d2d8413..ff579ee4ea 100644 --- a/solidity/security/arbitrary-send-erc20.yaml +++ b/solidity/security/arbitrary-send-erc20.yaml @@ -26,3 +26,4 @@ rules: - https://cwe.mitre.org/data/definitions/285.html owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control diff --git a/swift/lang/crypto/insecure-random.yaml b/swift/lang/crypto/insecure-random.yaml index a06249710b..4440006fb1 100644 --- a/swift/lang/crypto/insecure-random.yaml +++ b/swift/lang/crypto/insecure-random.yaml @@ -17,6 +17,7 @@ rules: - 'MSTG-CRYPTO-6: All random values are generated using a sufficiently secure random number generator.' owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures references: - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements - https://developer.apple.com/documentation/security/1399291-secrandomcopybytes diff --git a/swift/lang/storage/sensitive-storage-userdefaults.yaml b/swift/lang/storage/sensitive-storage-userdefaults.yaml index c5a8c96ee3..29b58ce992 100644 --- a/swift/lang/storage/sensitive-storage-userdefaults.yaml +++ b/swift/lang/storage/sensitive-storage-userdefaults.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/ diff --git a/terraform/aws/security/aws-athena-client-can-disable-workgroup-encryption.yaml b/terraform/aws/security/aws-athena-client-can-disable-workgroup-encryption.yaml index 02ca803f2d..9c9b641f39 100644 --- a/terraform/aws/security/aws-athena-client-can-disable-workgroup-encryption.yaml +++ b/terraform/aws/security/aws-athena-client-can-disable-workgroup-encryption.yaml @@ -33,6 +33,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-athena-database-unencrypted.yaml b/terraform/aws/security/aws-athena-database-unencrypted.yaml index 8604043f3e..59d2c35490 100644 --- a/terraform/aws/security/aws-athena-database-unencrypted.yaml +++ b/terraform/aws/security/aws-athena-database-unencrypted.yaml @@ -28,6 +28,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-athena-workgroup-unencrypted.yaml b/terraform/aws/security/aws-athena-workgroup-unencrypted.yaml index 0c58a2ea58..c7d5fd2c2b 100644 --- a/terraform/aws/security/aws-athena-workgroup-unencrypted.yaml +++ b/terraform/aws/security/aws-athena-workgroup-unencrypted.yaml @@ -42,6 +42,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml index 239d1197ca..3f9bbf73bc 100644 --- a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml +++ b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml @@ -72,6 +72,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: diff --git a/terraform/aws/security/aws-cloudwatch-log-group-unencrypted.yaml b/terraform/aws/security/aws-cloudwatch-log-group-unencrypted.yaml index 7faf320dfa..812c13657c 100644 --- a/terraform/aws/security/aws-cloudwatch-log-group-unencrypted.yaml +++ b/terraform/aws/security/aws-cloudwatch-log-group-unencrypted.yaml @@ -20,6 +20,7 @@ rules: metadata: owasp: - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' technology: diff --git a/terraform/aws/security/aws-codebuild-artifacts-unencrypted.yaml b/terraform/aws/security/aws-codebuild-artifacts-unencrypted.yaml index 187976d1e1..4b1852078b 100644 --- a/terraform/aws/security/aws-codebuild-artifacts-unencrypted.yaml +++ b/terraform/aws/security/aws-codebuild-artifacts-unencrypted.yaml @@ -32,6 +32,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-config-aggregator-not-all-regions.yaml b/terraform/aws/security/aws-config-aggregator-not-all-regions.yaml index 05657c2435..539ba1cb66 100644 --- a/terraform/aws/security/aws-config-aggregator-not-all-regions.yaml +++ b/terraform/aws/security/aws-config-aggregator-not-all-regions.yaml @@ -34,6 +34,7 @@ rules: - aws owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' references: diff --git a/terraform/aws/security/aws-db-instance-no-logging.yaml b/terraform/aws/security/aws-db-instance-no-logging.yaml index b62489cbe6..26183ec5a3 100644 --- a/terraform/aws/security/aws-db-instance-no-logging.yaml +++ b/terraform/aws/security/aws-db-instance-no-logging.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: diff --git a/terraform/aws/security/aws-documentdb-auditing-disabled.yaml b/terraform/aws/security/aws-documentdb-auditing-disabled.yaml index df4ed59761..538ac4d355 100644 --- a/terraform/aws/security/aws-documentdb-auditing-disabled.yaml +++ b/terraform/aws/security/aws-documentdb-auditing-disabled.yaml @@ -25,6 +25,7 @@ rules: - aws owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' references: diff --git a/terraform/aws/security/aws-documentdb-storage-unencrypted.yaml b/terraform/aws/security/aws-documentdb-storage-unencrypted.yaml index 8164d268c0..d8a1a511f9 100644 --- a/terraform/aws/security/aws-documentdb-storage-unencrypted.yaml +++ b/terraform/aws/security/aws-documentdb-storage-unencrypted.yaml @@ -25,6 +25,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-dynamodb-table-unencrypted.yaml b/terraform/aws/security/aws-dynamodb-table-unencrypted.yaml index 35c21cd9cc..60234ad027 100644 --- a/terraform/aws/security/aws-dynamodb-table-unencrypted.yaml +++ b/terraform/aws/security/aws-dynamodb-table-unencrypted.yaml @@ -24,6 +24,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-ebs-volume-unencrypted.yaml b/terraform/aws/security/aws-ebs-volume-unencrypted.yaml index 54c4d4c47a..6942d18a57 100644 --- a/terraform/aws/security/aws-ebs-volume-unencrypted.yaml +++ b/terraform/aws/security/aws-ebs-volume-unencrypted.yaml @@ -26,6 +26,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-ec2-has-public-ip.yaml b/terraform/aws/security/aws-ec2-has-public-ip.yaml index ad0f3d9c12..7fdaaed9db 100644 --- a/terraform/aws/security/aws-ec2-has-public-ip.yaml +++ b/terraform/aws/security/aws-ec2-has-public-ip.yaml @@ -30,6 +30,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-ec2-launch-configuration-ebs-block-device-unencrypted.yaml b/terraform/aws/security/aws-ec2-launch-configuration-ebs-block-device-unencrypted.yaml index 2398856d3a..7d59bf406b 100644 --- a/terraform/aws/security/aws-ec2-launch-configuration-ebs-block-device-unencrypted.yaml +++ b/terraform/aws/security/aws-ec2-launch-configuration-ebs-block-device-unencrypted.yaml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-ec2-launch-configuration-root-block-device-unencrypted.yml b/terraform/aws/security/aws-ec2-launch-configuration-root-block-device-unencrypted.yml index a3f034e180..24beb6fff1 100644 --- a/terraform/aws/security/aws-ec2-launch-configuration-root-block-device-unencrypted.yml +++ b/terraform/aws/security/aws-ec2-launch-configuration-root-block-device-unencrypted.yml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-ec2-launch-template-metadata-service-v1-enabled.yaml b/terraform/aws/security/aws-ec2-launch-template-metadata-service-v1-enabled.yaml index 1822538dab..29ac97331a 100644 --- a/terraform/aws/security/aws-ec2-launch-template-metadata-service-v1-enabled.yaml +++ b/terraform/aws/security/aws-ec2-launch-template-metadata-service-v1-enabled.yaml @@ -39,6 +39,7 @@ rules: - aws owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-1390: Weak Authentication' references: diff --git a/terraform/aws/security/aws-ec2-security-group-allows-public-ingress.yaml b/terraform/aws/security/aws-ec2-security-group-allows-public-ingress.yaml index 62b8107215..b2a74a3470 100644 --- a/terraform/aws/security/aws-ec2-security-group-allows-public-ingress.yaml +++ b/terraform/aws/security/aws-ec2-security-group-allows-public-ingress.yaml @@ -72,6 +72,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-ec2-security-group-rule-missing-description.yaml b/terraform/aws/security/aws-ec2-security-group-rule-missing-description.yaml index c65d9143f4..94d251929f 100644 --- a/terraform/aws/security/aws-ec2-security-group-rule-missing-description.yaml +++ b/terraform/aws/security/aws-ec2-security-group-rule-missing-description.yaml @@ -84,6 +84,7 @@ rules: - aws owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - "CWE-223: Omission of Security-relevant Information" references: diff --git a/terraform/aws/security/aws-ecr-image-scanning-disabled.yaml b/terraform/aws/security/aws-ecr-image-scanning-disabled.yaml index 97cd0cb305..55da06bfa8 100644 --- a/terraform/aws/security/aws-ecr-image-scanning-disabled.yaml +++ b/terraform/aws/security/aws-ecr-image-scanning-disabled.yaml @@ -33,6 +33,7 @@ rules: - aws owasp: - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-223: Omission of Security-relevant Information' subcategory: diff --git a/terraform/aws/security/aws-ecr-mutable-image-tags.yaml b/terraform/aws/security/aws-ecr-mutable-image-tags.yaml index 40f60d5054..235defbe8b 100644 --- a/terraform/aws/security/aws-ecr-mutable-image-tags.yaml +++ b/terraform/aws/security/aws-ecr-mutable-image-tags.yaml @@ -26,6 +26,7 @@ rules: - aws owasp: - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' references: diff --git a/terraform/aws/security/aws-ecr-repository-wildcard-principal.yaml b/terraform/aws/security/aws-ecr-repository-wildcard-principal.yaml index dedca5a5c0..b77aa35410 100644 --- a/terraform/aws/security/aws-ecr-repository-wildcard-principal.yaml +++ b/terraform/aws/security/aws-ecr-repository-wildcard-principal.yaml @@ -47,6 +47,7 @@ rules: - terraform owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-elasticsearch-insecure-tls-version.yaml b/terraform/aws/security/aws-elasticsearch-insecure-tls-version.yaml index 1fab302210..94a03838b0 100644 --- a/terraform/aws/security/aws-elasticsearch-insecure-tls-version.yaml +++ b/terraform/aws/security/aws-elasticsearch-insecure-tls-version.yaml @@ -22,6 +22,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - aws diff --git a/terraform/aws/security/aws-elasticsearch-nodetonode-encryption.yaml b/terraform/aws/security/aws-elasticsearch-nodetonode-encryption.yaml index 9680bca048..f4672e7e33 100644 --- a/terraform/aws/security/aws-elasticsearch-nodetonode-encryption.yaml +++ b/terraform/aws/security/aws-elasticsearch-nodetonode-encryption.yaml @@ -48,6 +48,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: diff --git a/terraform/aws/security/aws-elb-access-logs-not-enabled.yaml b/terraform/aws/security/aws-elb-access-logs-not-enabled.yaml index 79b986fbc1..d0fc7355ea 100644 --- a/terraform/aws/security/aws-elb-access-logs-not-enabled.yaml +++ b/terraform/aws/security/aws-elb-access-logs-not-enabled.yaml @@ -35,6 +35,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-fsx-lustre-files-ystem.yaml b/terraform/aws/security/aws-fsx-lustre-files-ystem.yaml index 74687a7af3..c87cdc31eb 100644 --- a/terraform/aws/security/aws-fsx-lustre-files-ystem.yaml +++ b/terraform/aws/security/aws-fsx-lustre-files-ystem.yaml @@ -22,6 +22,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' references: diff --git a/terraform/aws/security/aws-fsx-lustre-filesystem-encrypted-with-cmk.yaml b/terraform/aws/security/aws-fsx-lustre-filesystem-encrypted-with-cmk.yaml index 50ac3e6069..8ce0a305ea 100644 --- a/terraform/aws/security/aws-fsx-lustre-filesystem-encrypted-with-cmk.yaml +++ b/terraform/aws/security/aws-fsx-lustre-filesystem-encrypted-with-cmk.yaml @@ -22,6 +22,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-glacier-vault-any-principal.yaml b/terraform/aws/security/aws-glacier-vault-any-principal.yaml index 57627b6e16..dc1af013de 100644 --- a/terraform/aws/security/aws-glacier-vault-any-principal.yaml +++ b/terraform/aws/security/aws-glacier-vault-any-principal.yaml @@ -31,6 +31,7 @@ rules: - aws owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-iam-admin-policy-ssoadmin.yaml b/terraform/aws/security/aws-iam-admin-policy-ssoadmin.yaml index 971b867598..a93ba76c5d 100644 --- a/terraform/aws/security/aws-iam-admin-policy-ssoadmin.yaml +++ b/terraform/aws/security/aws-iam-admin-policy-ssoadmin.yaml @@ -30,6 +30,7 @@ rules: - aws owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-iam-admin-policy.yaml b/terraform/aws/security/aws-iam-admin-policy.yaml index 7905fa2be2..e0d0326e1d 100644 --- a/terraform/aws/security/aws-iam-admin-policy.yaml +++ b/terraform/aws/security/aws-iam-admin-policy.yaml @@ -31,6 +31,7 @@ rules: - terraform owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-insecure-api-gateway-tls-version.yaml b/terraform/aws/security/aws-insecure-api-gateway-tls-version.yaml index 758c40ed16..decd4baf3f 100644 --- a/terraform/aws/security/aws-insecure-api-gateway-tls-version.yaml +++ b/terraform/aws/security/aws-insecure-api-gateway-tls-version.yaml @@ -40,6 +40,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures category: security technology: - aws diff --git a/terraform/aws/security/aws-insecure-redshift-ssl-configuration.yaml b/terraform/aws/security/aws-insecure-redshift-ssl-configuration.yaml index cdde3d59a3..c4181322fb 100644 --- a/terraform/aws/security/aws-insecure-redshift-ssl-configuration.yaml +++ b/terraform/aws/security/aws-insecure-redshift-ssl-configuration.yaml @@ -34,6 +34,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: diff --git a/terraform/aws/security/aws-kinesis-stream-unencrypted.yaml b/terraform/aws/security/aws-kinesis-stream-unencrypted.yaml index 059848e7ce..281771c902 100644 --- a/terraform/aws/security/aws-kinesis-stream-unencrypted.yaml +++ b/terraform/aws/security/aws-kinesis-stream-unencrypted.yaml @@ -26,6 +26,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-kms-key-wildcard-principal.yaml b/terraform/aws/security/aws-kms-key-wildcard-principal.yaml index 6e9a82f464..8f4ba4c7ca 100644 --- a/terraform/aws/security/aws-kms-key-wildcard-principal.yaml +++ b/terraform/aws/security/aws-kms-key-wildcard-principal.yaml @@ -32,6 +32,7 @@ rules: - terraform owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-kms-no-rotation.yaml b/terraform/aws/security/aws-kms-no-rotation.yaml index 439794bd47..011696b346 100644 --- a/terraform/aws/security/aws-kms-no-rotation.yaml +++ b/terraform/aws/security/aws-kms-no-rotation.yaml @@ -39,6 +39,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-lambda-environment-credentials.yaml b/terraform/aws/security/aws-lambda-environment-credentials.yaml index 0b3b9300f8..234c58d69e 100644 --- a/terraform/aws/security/aws-lambda-environment-credentials.yaml +++ b/terraform/aws/security/aws-lambda-environment-credentials.yaml @@ -34,6 +34,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-lambda-permission-unrestricted-source-arn.yaml b/terraform/aws/security/aws-lambda-permission-unrestricted-source-arn.yaml index 860c902fe6..86795e6b7f 100644 --- a/terraform/aws/security/aws-lambda-permission-unrestricted-source-arn.yaml +++ b/terraform/aws/security/aws-lambda-permission-unrestricted-source-arn.yaml @@ -32,6 +32,7 @@ rules: - aws owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-network-acl-allows-all-ports.yaml b/terraform/aws/security/aws-network-acl-allows-all-ports.yaml index df04220a98..40ce842762 100644 --- a/terraform/aws/security/aws-network-acl-allows-all-ports.yaml +++ b/terraform/aws/security/aws-network-acl-allows-all-ports.yaml @@ -48,6 +48,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-network-acl-allows-public-ingress.yaml b/terraform/aws/security/aws-network-acl-allows-public-ingress.yaml index 10581ec6bf..f3394a93bc 100644 --- a/terraform/aws/security/aws-network-acl-allows-public-ingress.yaml +++ b/terraform/aws/security/aws-network-acl-allows-public-ingress.yaml @@ -71,6 +71,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-provider-static-credentials.yaml b/terraform/aws/security/aws-provider-static-credentials.yaml index c07ebca4ed..e4dd90d17a 100644 --- a/terraform/aws/security/aws-provider-static-credentials.yaml +++ b/terraform/aws/security/aws-provider-static-credentials.yaml @@ -28,6 +28,7 @@ rules: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/terraform/aws/security/aws-provisioner-exec.yaml b/terraform/aws/security/aws-provisioner-exec.yaml index d020eb9424..12740b545b 100644 --- a/terraform/aws/security/aws-provisioner-exec.yaml +++ b/terraform/aws/security/aws-provisioner-exec.yaml @@ -26,6 +26,7 @@ rules: owasp: - 'A03:2021 - Injection' - 'A01:2017 - Injection' + - A05:2025 - Injection cwe: - "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')" - "CWE-94: Improper Control of Generation of Code ('Code Injection')" diff --git a/terraform/aws/security/aws-redshift-cluster-encrypted-with-cmk.yaml b/terraform/aws/security/aws-redshift-cluster-encrypted-with-cmk.yaml index dae15f253f..cf7a272d98 100644 --- a/terraform/aws/security/aws-redshift-cluster-encrypted-with-cmk.yaml +++ b/terraform/aws/security/aws-redshift-cluster-encrypted-with-cmk.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-secretsmanager-secret-unencrypted.yaml b/terraform/aws/security/aws-secretsmanager-secret-unencrypted.yaml index bff8ae3fd1..669d98ab7b 100644 --- a/terraform/aws/security/aws-secretsmanager-secret-unencrypted.yaml +++ b/terraform/aws/security/aws-secretsmanager-secret-unencrypted.yaml @@ -21,6 +21,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-sns-topic-unencrypted.yaml b/terraform/aws/security/aws-sns-topic-unencrypted.yaml index 8ec616c91e..848eac3f7c 100644 --- a/terraform/aws/security/aws-sns-topic-unencrypted.yaml +++ b/terraform/aws/security/aws-sns-topic-unencrypted.yaml @@ -26,6 +26,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-sqs-queue-policy-wildcard-action.yaml b/terraform/aws/security/aws-sqs-queue-policy-wildcard-action.yaml index eee517eb54..f483449ea3 100644 --- a/terraform/aws/security/aws-sqs-queue-policy-wildcard-action.yaml +++ b/terraform/aws/security/aws-sqs-queue-policy-wildcard-action.yaml @@ -53,6 +53,7 @@ rules: - terraform owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: diff --git a/terraform/aws/security/aws-sqs-queue-policy-wildcard-principal.yaml b/terraform/aws/security/aws-sqs-queue-policy-wildcard-principal.yaml index 10bb7712e8..047b0397cf 100644 --- a/terraform/aws/security/aws-sqs-queue-policy-wildcard-principal.yaml +++ b/terraform/aws/security/aws-sqs-queue-policy-wildcard-principal.yaml @@ -118,6 +118,7 @@ rules: - terraform owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - "CWE-732: Incorrect Permission Assignment for Critical Resource" references: diff --git a/terraform/aws/security/aws-sqs-queue-unencrypted.yaml b/terraform/aws/security/aws-sqs-queue-unencrypted.yaml index fda760edb9..95942bf614 100644 --- a/terraform/aws/security/aws-sqs-queue-unencrypted.yaml +++ b/terraform/aws/security/aws-sqs-queue-unencrypted.yaml @@ -32,6 +32,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: diff --git a/terraform/aws/security/aws-ssm-document-logging-issues.yaml b/terraform/aws/security/aws-ssm-document-logging-issues.yaml index 5325c5efd5..a4a93b452d 100644 --- a/terraform/aws/security/aws-ssm-document-logging-issues.yaml +++ b/terraform/aws/security/aws-ssm-document-logging-issues.yaml @@ -27,6 +27,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/aws-subnet-has-public-ip-address.yaml b/terraform/aws/security/aws-subnet-has-public-ip-address.yaml index edeb833780..a342c80d92 100644 --- a/terraform/aws/security/aws-subnet-has-public-ip-address.yaml +++ b/terraform/aws/security/aws-subnet-has-public-ip-address.yaml @@ -33,6 +33,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-transfer-server-is-public.yaml b/terraform/aws/security/aws-transfer-server-is-public.yaml index a126d51d9b..f0f0e5339e 100644 --- a/terraform/aws/security/aws-transfer-server-is-public.yaml +++ b/terraform/aws/security/aws-transfer-server-is-public.yaml @@ -23,6 +23,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: diff --git a/terraform/aws/security/aws-workspaces-root-volume-unencrypted.yaml b/terraform/aws/security/aws-workspaces-root-volume-unencrypted.yaml index 425b2c62e6..e5744f7254 100644 --- a/terraform/aws/security/aws-workspaces-root-volume-unencrypted.yaml +++ b/terraform/aws/security/aws-workspaces-root-volume-unencrypted.yaml @@ -19,6 +19,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/aws/security/insecure-load-balancer-tls-version.yaml b/terraform/aws/security/insecure-load-balancer-tls-version.yaml index dbe48ba949..f27fb2aea4 100644 --- a/terraform/aws/security/insecure-load-balancer-tls-version.yaml +++ b/terraform/aws/security/insecure-load-balancer-tls-version.yaml @@ -49,6 +49,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: diff --git a/terraform/aws/security/unrestricted-github-oidc-policy.yaml b/terraform/aws/security/unrestricted-github-oidc-policy.yaml index 2ab8375f50..49d3f7b9b5 100644 --- a/terraform/aws/security/unrestricted-github-oidc-policy.yaml +++ b/terraform/aws/security/unrestricted-github-oidc-policy.yaml @@ -13,6 +13,7 @@ rules: owasp: - A05:2017 - Sensitive Data Exposure - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - "CWE-1220: Insufficient Granularity of Access Control" references: diff --git a/terraform/aws/security/wildcard-assume-role.yaml b/terraform/aws/security/wildcard-assume-role.yaml index 7bb71ff9dd..1c84c7c37e 100644 --- a/terraform/aws/security/wildcard-assume-role.yaml +++ b/terraform/aws/security/wildcard-assume-role.yaml @@ -29,6 +29,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - vuln likelihood: MEDIUM diff --git a/terraform/azure/best-practice/azure-networkinterface-enable-ip-forwarding.yaml b/terraform/azure/best-practice/azure-networkinterface-enable-ip-forwarding.yaml index 254b42ae9d..f02dc003ed 100644 --- a/terraform/azure/best-practice/azure-networkinterface-enable-ip-forwarding.yaml +++ b/terraform/azure/best-practice/azure-networkinterface-enable-ip-forwarding.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/aks/azure-aks-apiserver-auth-ip-ranges.yaml b/terraform/azure/security/aks/azure-aks-apiserver-auth-ip-ranges.yaml index d29f83840b..f02e1af843 100644 --- a/terraform/azure/security/aks/azure-aks-apiserver-auth-ip-ranges.yaml +++ b/terraform/azure/security/aks/azure-aks-apiserver-auth-ip-ranges.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/aks/azure-aks-private-clusters-enabled.yaml b/terraform/azure/security/aks/azure-aks-private-clusters-enabled.yaml index c1363d1cd4..e34ca2ad2a 100644 --- a/terraform/azure/security/aks/azure-aks-private-clusters-enabled.yaml +++ b/terraform/azure/security/aks/azure-aks-private-clusters-enabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/apiservice/azure-apiservices-use-virtualnetwork.yaml b/terraform/azure/security/apiservice/azure-apiservices-use-virtualnetwork.yaml index 82c660cf87..1f82bbd249 100644 --- a/terraform/azure/security/apiservice/azure-apiservices-use-virtualnetwork.yaml +++ b/terraform/azure/security/apiservice/azure-apiservices-use-virtualnetwork.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/appservice/appservice-account-identity-registered.yaml b/terraform/azure/security/appservice/appservice-account-identity-registered.yaml index 6c8a3f77ac..03e1291589 100644 --- a/terraform/azure/security/appservice/appservice-account-identity-registered.yaml +++ b/terraform/azure/security/appservice/appservice-account-identity-registered.yaml @@ -32,6 +32,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' technology: diff --git a/terraform/azure/security/appservice/appservice-authentication-enabled.yaml b/terraform/azure/security/appservice/appservice-authentication-enabled.yaml index 4e2778c270..82379a6d15 100644 --- a/terraform/azure/security/appservice/appservice-authentication-enabled.yaml +++ b/terraform/azure/security/appservice/appservice-authentication-enabled.yaml @@ -42,6 +42,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/terraform/azure/security/appservice/appservice-enable-http2.yaml b/terraform/azure/security/appservice/appservice-enable-http2.yaml index 80796aac68..004c862890 100644 --- a/terraform/azure/security/appservice/appservice-enable-http2.yaml +++ b/terraform/azure/security/appservice/appservice-enable-http2.yaml @@ -42,6 +42,7 @@ rules: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW diff --git a/terraform/azure/security/appservice/appservice-enable-https-only.yaml b/terraform/azure/security/appservice/appservice-enable-https-only.yaml index d0fdf879c5..ca70a5eb01 100644 --- a/terraform/azure/security/appservice/appservice-enable-https-only.yaml +++ b/terraform/azure/security/appservice/appservice-enable-https-only.yaml @@ -36,6 +36,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM diff --git a/terraform/azure/security/appservice/appservice-require-client-cert.yaml b/terraform/azure/security/appservice/appservice-require-client-cert.yaml index 077175c519..5523f43a65 100644 --- a/terraform/azure/security/appservice/appservice-require-client-cert.yaml +++ b/terraform/azure/security/appservice/appservice-require-client-cert.yaml @@ -35,6 +35,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures subcategory: - vuln likelihood: MEDIUM diff --git a/terraform/azure/security/appservice/appservice-use-secure-tls-policy.yaml b/terraform/azure/security/appservice/appservice-use-secure-tls-policy.yaml index db7bf6c160..761559750c 100644 --- a/terraform/azure/security/appservice/appservice-use-secure-tls-policy.yaml +++ b/terraform/azure/security/appservice/appservice-use-secure-tls-policy.yaml @@ -23,6 +23,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/terraform/azure/security/appservice/azure-appservice-auth.yaml b/terraform/azure/security/appservice/azure-appservice-auth.yaml index e4346e6b2e..284120201a 100644 --- a/terraform/azure/security/appservice/azure-appservice-auth.yaml +++ b/terraform/azure/security/appservice/azure-appservice-auth.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-client-certificate.yaml b/terraform/azure/security/appservice/azure-appservice-client-certificate.yaml index 84e382030c..a108795bcd 100644 --- a/terraform/azure/security/appservice/azure-appservice-client-certificate.yaml +++ b/terraform/azure/security/appservice/azure-appservice-client-certificate.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-detailed-errormessages-enabled.yaml b/terraform/azure/security/appservice/azure-appservice-detailed-errormessages-enabled.yaml index 2421998e12..dfe4f3b052 100644 --- a/terraform/azure/security/appservice/azure-appservice-detailed-errormessages-enabled.yaml +++ b/terraform/azure/security/appservice/azure-appservice-detailed-errormessages-enabled.yaml @@ -22,6 +22,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-disallowed-cors.yaml b/terraform/azure/security/appservice/azure-appservice-disallowed-cors.yaml index 3ec882cd21..401d9b07b6 100644 --- a/terraform/azure/security/appservice/azure-appservice-disallowed-cors.yaml +++ b/terraform/azure/security/appservice/azure-appservice-disallowed-cors.yaml @@ -14,6 +14,7 @@ rules: metadata: owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-enabled-failed-request.yaml b/terraform/azure/security/appservice/azure-appservice-enabled-failed-request.yaml index c60634694b..ac1d1534c3 100644 --- a/terraform/azure/security/appservice/azure-appservice-enabled-failed-request.yaml +++ b/terraform/azure/security/appservice/azure-appservice-enabled-failed-request.yaml @@ -22,6 +22,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-http-logging-enabled.yaml b/terraform/azure/security/appservice/azure-appservice-http-logging-enabled.yaml index 23e8ec0efe..20dd3c175d 100644 --- a/terraform/azure/security/appservice/azure-appservice-http-logging-enabled.yaml +++ b/terraform/azure/security/appservice/azure-appservice-http-logging-enabled.yaml @@ -34,6 +34,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-https-only.yaml b/terraform/azure/security/appservice/azure-appservice-https-only.yaml index 70524576d7..717b57ad7b 100644 --- a/terraform/azure/security/appservice/azure-appservice-https-only.yaml +++ b/terraform/azure/security/appservice/azure-appservice-https-only.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-identity.yaml b/terraform/azure/security/appservice/azure-appservice-identity.yaml index 63e22e768e..de551668ea 100644 --- a/terraform/azure/security/appservice/azure-appservice-identity.yaml +++ b/terraform/azure/security/appservice/azure-appservice-identity.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-identityprovider-enabled.yaml b/terraform/azure/security/appservice/azure-appservice-identityprovider-enabled.yaml index a6d891447f..fb091cf1c0 100644 --- a/terraform/azure/security/appservice/azure-appservice-identityprovider-enabled.yaml +++ b/terraform/azure/security/appservice/azure-appservice-identityprovider-enabled.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/appservice/azure-appservice-min-tls-version.yaml b/terraform/azure/security/appservice/azure-appservice-min-tls-version.yaml index 64a1bc4b06..4aebde3338 100644 --- a/terraform/azure/security/appservice/azure-appservice-min-tls-version.yaml +++ b/terraform/azure/security/appservice/azure-appservice-min-tls-version.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/azure-cognitiveservices-disables-public-network.yaml b/terraform/azure/security/azure-cognitiveservices-disables-public-network.yaml index ae2710a849..e1ebfe7e3d 100644 --- a/terraform/azure/security/azure-cognitiveservices-disables-public-network.yaml +++ b/terraform/azure/security/azure-cognitiveservices-disables-public-network.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-containergroup-deployed-into-virtualnetwork.yaml b/terraform/azure/security/azure-containergroup-deployed-into-virtualnetwork.yaml index 0c5ad7c7bc..e03fddba22 100644 --- a/terraform/azure/security/azure-containergroup-deployed-into-virtualnetwork.yaml +++ b/terraform/azure/security/azure-containergroup-deployed-into-virtualnetwork.yaml @@ -25,6 +25,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-cosmosdb-accounts-restricted-access.yaml b/terraform/azure/security/azure-cosmosdb-accounts-restricted-access.yaml index 91c14e6727..5f046a783d 100644 --- a/terraform/azure/security/azure-cosmosdb-accounts-restricted-access.yaml +++ b/terraform/azure/security/azure-cosmosdb-accounts-restricted-access.yaml @@ -32,6 +32,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-cosmosdb-disable-access-key-write.yaml b/terraform/azure/security/azure-cosmosdb-disable-access-key-write.yaml index 3d0e5bbcc1..9752e72d0e 100644 --- a/terraform/azure/security/azure-cosmosdb-disable-access-key-write.yaml +++ b/terraform/azure/security/azure-cosmosdb-disable-access-key-write.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-cosmosdb-disables-public-network.yaml b/terraform/azure/security/azure-cosmosdb-disables-public-network.yaml index 995a4f1215..9aff670dea 100644 --- a/terraform/azure/security/azure-cosmosdb-disables-public-network.yaml +++ b/terraform/azure/security/azure-cosmosdb-disables-public-network.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-customrole-definition-subscription-owner.yaml b/terraform/azure/security/azure-customrole-definition-subscription-owner.yaml index b431843542..63229ed32e 100644 --- a/terraform/azure/security/azure-customrole-definition-subscription-owner.yaml +++ b/terraform/azure/security/azure-customrole-definition-subscription-owner.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-datafactory-no-public-network-access.yaml b/terraform/azure/security/azure-datafactory-no-public-network-access.yaml index 93ec91769c..b7a03d3d16 100644 --- a/terraform/azure/security/azure-datafactory-no-public-network-access.yaml +++ b/terraform/azure/security/azure-datafactory-no-public-network-access.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-datafactory-uses-git-repository.yaml b/terraform/azure/security/azure-datafactory-uses-git-repository.yaml index 810d837d5e..6932df9427 100644 --- a/terraform/azure/security/azure-datafactory-uses-git-repository.yaml +++ b/terraform/azure/security/azure-datafactory-uses-git-repository.yaml @@ -28,6 +28,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-eventgrid-domain-network-access.yaml b/terraform/azure/security/azure-eventgrid-domain-network-access.yaml index 5f6c90fc82..d034e6847d 100644 --- a/terraform/azure/security/azure-eventgrid-domain-network-access.yaml +++ b/terraform/azure/security/azure-eventgrid-domain-network-access.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-functionapp-disallow-cors.yaml b/terraform/azure/security/azure-functionapp-disallow-cors.yaml index 0bacd8ae45..e50b103611 100644 --- a/terraform/azure/security/azure-functionapp-disallow-cors.yaml +++ b/terraform/azure/security/azure-functionapp-disallow-cors.yaml @@ -14,6 +14,7 @@ rules: metadata: owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' category: security diff --git a/terraform/azure/security/azure-functionapps-enable-auth.yaml b/terraform/azure/security/azure-functionapps-enable-auth.yaml index 6d4867509d..cb55fcf851 100644 --- a/terraform/azure/security/azure-functionapps-enable-auth.yaml +++ b/terraform/azure/security/azure-functionapps-enable-auth.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-instance-extensions.yaml b/terraform/azure/security/azure-instance-extensions.yaml index 3db85854ab..3bd22404a7 100644 --- a/terraform/azure/security/azure-instance-extensions.yaml +++ b/terraform/azure/security/azure-instance-extensions.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-iot-no-public-network-access.yaml b/terraform/azure/security/azure-iot-no-public-network-access.yaml index f1c5880a57..daf2ee5883 100644 --- a/terraform/azure/security/azure-iot-no-public-network-access.yaml +++ b/terraform/azure/security/azure-iot-no-public-network-access.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-mariadb-public-access-disabled.yaml b/terraform/azure/security/azure-mariadb-public-access-disabled.yaml index b07d155326..195698c88e 100644 --- a/terraform/azure/security/azure-mariadb-public-access-disabled.yaml +++ b/terraform/azure/security/azure-mariadb-public-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-mssql-service-mintls-version.yaml b/terraform/azure/security/azure-mssql-service-mintls-version.yaml index e0725b4b7a..054b8d2a9c 100644 --- a/terraform/azure/security/azure-mssql-service-mintls-version.yaml +++ b/terraform/azure/security/azure-mssql-service-mintls-version.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/azure-mysql-mintls-version.yaml b/terraform/azure/security/azure-mysql-mintls-version.yaml index 0f9ee1b391..8d432aa53c 100644 --- a/terraform/azure/security/azure-mysql-mintls-version.yaml +++ b/terraform/azure/security/azure-mysql-mintls-version.yaml @@ -17,6 +17,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/azure-mysql-public-access-disabled.yaml b/terraform/azure/security/azure-mysql-public-access-disabled.yaml index e629a4c0da..1d28ca0cf3 100644 --- a/terraform/azure/security/azure-mysql-public-access-disabled.yaml +++ b/terraform/azure/security/azure-mysql-public-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-postgresql-min-tls-version.yaml b/terraform/azure/security/azure-postgresql-min-tls-version.yaml index c528c1fea5..ea9d7850f8 100644 --- a/terraform/azure/security/azure-postgresql-min-tls-version.yaml +++ b/terraform/azure/security/azure-postgresql-min-tls-version.yaml @@ -25,6 +25,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/azure-postgresql-server-public-access-disabled.yaml b/terraform/azure/security/azure-postgresql-server-public-access-disabled.yaml index 341b29cd6f..e940410d01 100644 --- a/terraform/azure/security/azure-postgresql-server-public-access-disabled.yaml +++ b/terraform/azure/security/azure-postgresql-server-public-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-redis-cache-enable-non-ssl-port.yaml b/terraform/azure/security/azure-redis-cache-enable-non-ssl-port.yaml index f27e9a02cc..823e6a82d3 100644 --- a/terraform/azure/security/azure-redis-cache-enable-non-ssl-port.yaml +++ b/terraform/azure/security/azure-redis-cache-enable-non-ssl-port.yaml @@ -14,6 +14,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security diff --git a/terraform/azure/security/azure-redis-cache-public-network-access-enabled.yaml b/terraform/azure/security/azure-redis-cache-public-network-access-enabled.yaml index c1e29d5bcd..9a55b29af1 100644 --- a/terraform/azure/security/azure-redis-cache-public-network-access-enabled.yaml +++ b/terraform/azure/security/azure-redis-cache-public-network-access-enabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-remote-debugging-not-enabled.yaml b/terraform/azure/security/azure-remote-debugging-not-enabled.yaml index 0c431aad61..481614d68f 100644 --- a/terraform/azure/security/azure-remote-debugging-not-enabled.yaml +++ b/terraform/azure/security/azure-remote-debugging-not-enabled.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-scale-set-password.yaml b/terraform/azure/security/azure-scale-set-password.yaml index c8ca5ef0b3..1d073d651d 100644 --- a/terraform/azure/security/azure-scale-set-password.yaml +++ b/terraform/azure/security/azure-scale-set-password.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-search-publicnetwork-access-disabled.yaml b/terraform/azure/security/azure-search-publicnetwork-access-disabled.yaml index 8ce6690315..a5570fe960 100644 --- a/terraform/azure/security/azure-search-publicnetwork-access-disabled.yaml +++ b/terraform/azure/security/azure-search-publicnetwork-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-sqlserver-no-public-access.yaml b/terraform/azure/security/azure-sqlserver-no-public-access.yaml index 7bfb414826..917d0ffd22 100644 --- a/terraform/azure/security/azure-sqlserver-no-public-access.yaml +++ b/terraform/azure/security/azure-sqlserver-no-public-access.yaml @@ -15,6 +15,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-sqlserver-public-access-disabled.yaml b/terraform/azure/security/azure-sqlserver-public-access-disabled.yaml index 1c77169e1d..c8ff3760ae 100644 --- a/terraform/azure/security/azure-sqlserver-public-access-disabled.yaml +++ b/terraform/azure/security/azure-sqlserver-public-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-storage-account-disable-public-access.yaml b/terraform/azure/security/azure-storage-account-disable-public-access.yaml index 42be210e23..3825805b2b 100644 --- a/terraform/azure/security/azure-storage-account-disable-public-access.yaml +++ b/terraform/azure/security/azure-storage-account-disable-public-access.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-storage-account-minimum-tlsversion.yaml b/terraform/azure/security/azure-storage-account-minimum-tlsversion.yaml index 132e978629..2019a45a2a 100644 --- a/terraform/azure/security/azure-storage-account-minimum-tlsversion.yaml +++ b/terraform/azure/security/azure-storage-account-minimum-tlsversion.yaml @@ -24,6 +24,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/azure/security/azure-storage-blob-service-container-private-access.yaml b/terraform/azure/security/azure-storage-blob-service-container-private-access.yaml index 82467bd3c6..72b24c5807 100644 --- a/terraform/azure/security/azure-storage-blob-service-container-private-access.yaml +++ b/terraform/azure/security/azure-storage-blob-service-container-private-access.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/azure-storage-sync-public-access-disabled.yaml b/terraform/azure/security/azure-storage-sync-public-access-disabled.yaml index 1fa1c61f6b..544b6bcbe1 100644 --- a/terraform/azure/security/azure-storage-sync-public-access-disabled.yaml +++ b/terraform/azure/security/azure-storage-sync-public-access-disabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/azure/security/functionapp/functionapp-authentication-enabled.yaml b/terraform/azure/security/functionapp/functionapp-authentication-enabled.yaml index e16db86452..9c3687be0a 100644 --- a/terraform/azure/security/functionapp/functionapp-authentication-enabled.yaml +++ b/terraform/azure/security/functionapp/functionapp-authentication-enabled.yaml @@ -42,6 +42,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/terraform/azure/security/functionapp/functionapp-enable-http2.yaml b/terraform/azure/security/functionapp/functionapp-enable-http2.yaml index 2618dc178f..76acb6c00b 100644 --- a/terraform/azure/security/functionapp/functionapp-enable-http2.yaml +++ b/terraform/azure/security/functionapp/functionapp-enable-http2.yaml @@ -42,6 +42,7 @@ rules: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/terraform/azure/security/keyvault/keyvault-specify-network-acl.yaml b/terraform/azure/security/keyvault/keyvault-specify-network-acl.yaml index 99542624df..16d872ba0f 100644 --- a/terraform/azure/security/keyvault/keyvault-specify-network-acl.yaml +++ b/terraform/azure/security/keyvault/keyvault-specify-network-acl.yaml @@ -45,6 +45,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/terraform/azure/security/storage/storage-allow-microsoft-service-bypass.yaml b/terraform/azure/security/storage/storage-allow-microsoft-service-bypass.yaml index 904497b875..eb2e72618d 100644 --- a/terraform/azure/security/storage/storage-allow-microsoft-service-bypass.yaml +++ b/terraform/azure/security/storage/storage-allow-microsoft-service-bypass.yaml @@ -54,6 +54,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/terraform/azure/security/storage/storage-default-action-deny.yaml b/terraform/azure/security/storage/storage-default-action-deny.yaml index f9e88671ee..d2ccc012e3 100644 --- a/terraform/azure/security/storage/storage-default-action-deny.yaml +++ b/terraform/azure/security/storage/storage-default-action-deny.yaml @@ -30,6 +30,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/terraform/azure/security/storage/storage-enforce-https.yaml b/terraform/azure/security/storage/storage-enforce-https.yaml index d399093099..73c2be06be 100644 --- a/terraform/azure/security/storage/storage-enforce-https.yaml +++ b/terraform/azure/security/storage/storage-enforce-https.yaml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW diff --git a/terraform/azure/security/storage/storage-queue-services-logging.yaml b/terraform/azure/security/storage/storage-queue-services-logging.yaml index fd4ac11b7e..bbdcdebb1b 100644 --- a/terraform/azure/security/storage/storage-queue-services-logging.yaml +++ b/terraform/azure/security/storage/storage-queue-services-logging.yaml @@ -44,6 +44,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW diff --git a/terraform/azure/security/storage/storage-use-secure-tls-policy.yaml b/terraform/azure/security/storage/storage-use-secure-tls-policy.yaml index 9e366dcbac..c82705008f 100644 --- a/terraform/azure/security/storage/storage-use-secure-tls-policy.yaml +++ b/terraform/azure/security/storage/storage-use-secure-tls-policy.yaml @@ -36,6 +36,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM diff --git a/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-binding.yaml b/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-binding.yaml index 6b72252387..1d905ea285 100644 --- a/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-binding.yaml +++ b/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-binding.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-member.yaml b/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-member.yaml index 80b3ccfbab..2d94f2a1c8 100644 --- a/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-member.yaml +++ b/terraform/gcp/security/gcp-artifact-registry-private-repo-iam-member.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-bigquery-private-table-iam-binding.yaml b/terraform/gcp/security/gcp-bigquery-private-table-iam-binding.yaml index 271ff482b4..f4f508fc6c 100644 --- a/terraform/gcp/security/gcp-bigquery-private-table-iam-binding.yaml +++ b/terraform/gcp/security/gcp-bigquery-private-table-iam-binding.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-bigquery-private-table-iam-member.yaml b/terraform/gcp/security/gcp-bigquery-private-table-iam-member.yaml index 34b8abf632..5eb212964a 100644 --- a/terraform/gcp/security/gcp-bigquery-private-table-iam-member.yaml +++ b/terraform/gcp/security/gcp-bigquery-private-table-iam-member.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-build-workers-private.yaml b/terraform/gcp/security/gcp-build-workers-private.yaml index 94418bcb24..d54d7cc7a5 100644 --- a/terraform/gcp/security/gcp-build-workers-private.yaml +++ b/terraform/gcp/security/gcp-build-workers-private.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-cloud-storage-logging.yaml b/terraform/gcp/security/gcp-cloud-storage-logging.yaml index 28c1004229..c4d9e31d82 100644 --- a/terraform/gcp/security/gcp-cloud-storage-logging.yaml +++ b/terraform/gcp/security/gcp-cloud-storage-logging.yaml @@ -20,6 +20,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' technology: diff --git a/terraform/gcp/security/gcp-compute-boot-disk-encryption.yaml b/terraform/gcp/security/gcp-compute-boot-disk-encryption.yaml index bf2105a857..54a9a0ae96 100644 --- a/terraform/gcp/security/gcp-compute-boot-disk-encryption.yaml +++ b/terraform/gcp/security/gcp-compute-boot-disk-encryption.yaml @@ -28,6 +28,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: diff --git a/terraform/gcp/security/gcp-compute-disk-encryption.yaml b/terraform/gcp/security/gcp-compute-disk-encryption.yaml index 67034d952f..8bc46fa98e 100644 --- a/terraform/gcp/security/gcp-compute-disk-encryption.yaml +++ b/terraform/gcp/security/gcp-compute-disk-encryption.yaml @@ -28,6 +28,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-20.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-20.yaml index c1c669b2da..287c8bbf42 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-20.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-20.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-21.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-21.yaml index 5a63bf36c4..38a292014c 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-21.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-21.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-22.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-22.yaml index efb331be9c..8923ef1bde 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-22.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-22.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3306.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3306.yaml index ea79802d1b..b41e210b19 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3306.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3306.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3389.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3389.yaml index 5ea6e25c48..552afecddf 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3389.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-3389.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-80.yaml b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-80.yaml index df1833e464..1c0c81b858 100644 --- a/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-80.yaml +++ b/terraform/gcp/security/gcp-compute-firewall-unrestricted-ingress-80.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-ip-forward.yaml b/terraform/gcp/security/gcp-compute-ip-forward.yaml index 1922076cf0..8865333b51 100644 --- a/terraform/gcp/security/gcp-compute-ip-forward.yaml +++ b/terraform/gcp/security/gcp-compute-ip-forward.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-os-login.yaml b/terraform/gcp/security/gcp-compute-os-login.yaml index 61bc4eb6c8..75355e8e6c 100644 --- a/terraform/gcp/security/gcp-compute-os-login.yaml +++ b/terraform/gcp/security/gcp-compute-os-login.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-project-os-login.yaml b/terraform/gcp/security/gcp-compute-project-os-login.yaml index 482d4febab..0cbc53f60b 100644 --- a/terraform/gcp/security/gcp-compute-project-os-login.yaml +++ b/terraform/gcp/security/gcp-compute-project-os-login.yaml @@ -28,6 +28,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-public-ip.yaml b/terraform/gcp/security/gcp-compute-public-ip.yaml index 0c53e180e5..99c951f4bb 100644 --- a/terraform/gcp/security/gcp-compute-public-ip.yaml +++ b/terraform/gcp/security/gcp-compute-public-ip.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-serial-ports.yaml b/terraform/gcp/security/gcp-compute-serial-ports.yaml index 1809b3d661..8b97c59821 100644 --- a/terraform/gcp/security/gcp-compute-serial-ports.yaml +++ b/terraform/gcp/security/gcp-compute-serial-ports.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-ssl-policy.yaml b/terraform/gcp/security/gcp-compute-ssl-policy.yaml index 125dca4e14..c1d514bedc 100644 --- a/terraform/gcp/security/gcp-compute-ssl-policy.yaml +++ b/terraform/gcp/security/gcp-compute-ssl-policy.yaml @@ -36,6 +36,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/gcp/security/gcp-compute-template-ip-forward.yaml b/terraform/gcp/security/gcp-compute-template-ip-forward.yaml index afa1cd9b0d..4b5cf0a10a 100644 --- a/terraform/gcp/security/gcp-compute-template-ip-forward.yaml +++ b/terraform/gcp/security/gcp-compute-template-ip-forward.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-compute-template-public-ip.yaml b/terraform/gcp/security/gcp-compute-template-public-ip.yaml index 8f4dee318b..80b78de2a7 100644 --- a/terraform/gcp/security/gcp-compute-template-public-ip.yaml +++ b/terraform/gcp/security/gcp-compute-template-public-ip.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-dataflow-private-job.yaml b/terraform/gcp/security/gcp-dataflow-private-job.yaml index c7d82f4522..fe73981f5e 100644 --- a/terraform/gcp/security/gcp-dataflow-private-job.yaml +++ b/terraform/gcp/security/gcp-dataflow-private-job.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-datafusion-private-instance.yaml b/terraform/gcp/security/gcp-datafusion-private-instance.yaml index 3b533bc3ae..1aac6b41fc 100644 --- a/terraform/gcp/security/gcp-datafusion-private-instance.yaml +++ b/terraform/gcp/security/gcp-datafusion-private-instance.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-datafusion-stack-driver-logging.yaml b/terraform/gcp/security/gcp-datafusion-stack-driver-logging.yaml index 724e1c4af2..8f676a93ec 100644 --- a/terraform/gcp/security/gcp-datafusion-stack-driver-logging.yaml +++ b/terraform/gcp/security/gcp-datafusion-stack-driver-logging.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-datafusion-stack-driver-monitoring.yaml b/terraform/gcp/security/gcp-datafusion-stack-driver-monitoring.yaml index ed8b32c53c..19593db7a8 100644 --- a/terraform/gcp/security/gcp-datafusion-stack-driver-monitoring.yaml +++ b/terraform/gcp/security/gcp-datafusion-stack-driver-monitoring.yaml @@ -18,6 +18,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: diff --git a/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml b/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml index 79f3649282..4536d085d5 100644 --- a/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml +++ b/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-dataproc-private-cluster-iam-binding.yaml b/terraform/gcp/security/gcp-dataproc-private-cluster-iam-binding.yaml index 09de2d78f9..1adfee9813 100644 --- a/terraform/gcp/security/gcp-dataproc-private-cluster-iam-binding.yaml +++ b/terraform/gcp/security/gcp-dataproc-private-cluster-iam-binding.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-dataproc-private-cluster-iam-member.yaml b/terraform/gcp/security/gcp-dataproc-private-cluster-iam-member.yaml index 1791462779..e526886c64 100644 --- a/terraform/gcp/security/gcp-dataproc-private-cluster-iam-member.yaml +++ b/terraform/gcp/security/gcp-dataproc-private-cluster-iam-member.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-dns-key-specs-rsasha1.yaml b/terraform/gcp/security/gcp-dns-key-specs-rsasha1.yaml index 28556b9d6c..6fa9207767 100644 --- a/terraform/gcp/security/gcp-dns-key-specs-rsasha1.yaml +++ b/terraform/gcp/security/gcp-dns-key-specs-rsasha1.yaml @@ -38,6 +38,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/gcp/security/gcp-folder-impersonation-roles-iam-binding.yaml b/terraform/gcp/security/gcp-folder-impersonation-roles-iam-binding.yaml index f0f1f074f7..150b8258fd 100644 --- a/terraform/gcp/security/gcp-folder-impersonation-roles-iam-binding.yaml +++ b/terraform/gcp/security/gcp-folder-impersonation-roles-iam-binding.yaml @@ -15,6 +15,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-folder-impersonation-roles-iam-member.yaml b/terraform/gcp/security/gcp-folder-impersonation-roles-iam-member.yaml index 3173885621..ed325d768b 100644 --- a/terraform/gcp/security/gcp-folder-impersonation-roles-iam-member.yaml +++ b/terraform/gcp/security/gcp-folder-impersonation-roles-iam-member.yaml @@ -15,6 +15,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-folder-member-default-service-account-iam-binding.yaml b/terraform/gcp/security/gcp-folder-member-default-service-account-iam-binding.yaml index 8fb060011f..6e2d3b74db 100644 --- a/terraform/gcp/security/gcp-folder-member-default-service-account-iam-binding.yaml +++ b/terraform/gcp/security/gcp-folder-member-default-service-account-iam-binding.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-folder-member-default-service-account-iam-member.yaml b/terraform/gcp/security/gcp-folder-member-default-service-account-iam-member.yaml index 9b57125b9b..d0152c1929 100644 --- a/terraform/gcp/security/gcp-folder-member-default-service-account-iam-member.yaml +++ b/terraform/gcp/security/gcp-folder-member-default-service-account-iam-member.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-basic-auth.yaml b/terraform/gcp/security/gcp-gke-basic-auth.yaml index abdd4fc929..f4b2d0ea88 100644 --- a/terraform/gcp/security/gcp-gke-basic-auth.yaml +++ b/terraform/gcp/security/gcp-gke-basic-auth.yaml @@ -33,6 +33,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-client-certificate-disabled.yaml b/terraform/gcp/security/gcp-gke-client-certificate-disabled.yaml index 9efd4a0227..25bd348a1b 100644 --- a/terraform/gcp/security/gcp-gke-client-certificate-disabled.yaml +++ b/terraform/gcp/security/gcp-gke-client-certificate-disabled.yaml @@ -26,6 +26,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-enabled-vpc-flow-logs.yaml b/terraform/gcp/security/gcp-gke-enabled-vpc-flow-logs.yaml index e6f46195a8..202f2b85a0 100644 --- a/terraform/gcp/security/gcp-gke-enabled-vpc-flow-logs.yaml +++ b/terraform/gcp/security/gcp-gke-enabled-vpc-flow-logs.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-gke-ensure-integrity-monitoring.yaml b/terraform/gcp/security/gcp-gke-ensure-integrity-monitoring.yaml index d57f06744a..c39969802c 100644 --- a/terraform/gcp/security/gcp-gke-ensure-integrity-monitoring.yaml +++ b/terraform/gcp/security/gcp-gke-ensure-integrity-monitoring.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-gke-kubernetes-rbac-google-groups.yaml b/terraform/gcp/security/gcp-gke-kubernetes-rbac-google-groups.yaml index d648513e27..fa4a211bfb 100644 --- a/terraform/gcp/security/gcp-gke-kubernetes-rbac-google-groups.yaml +++ b/terraform/gcp/security/gcp-gke-kubernetes-rbac-google-groups.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-legacy-auth-enabled.yaml b/terraform/gcp/security/gcp-gke-legacy-auth-enabled.yaml index d13c53834f..651a929cce 100644 --- a/terraform/gcp/security/gcp-gke-legacy-auth-enabled.yaml +++ b/terraform/gcp/security/gcp-gke-legacy-auth-enabled.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-legacy-instance-metadata-disabled.yaml b/terraform/gcp/security/gcp-gke-legacy-instance-metadata-disabled.yaml index 4c4728d3eb..2b42da8b84 100644 --- a/terraform/gcp/security/gcp-gke-legacy-instance-metadata-disabled.yaml +++ b/terraform/gcp/security/gcp-gke-legacy-instance-metadata-disabled.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-master-authz-networks-enabled.yaml b/terraform/gcp/security/gcp-gke-master-authz-networks-enabled.yaml index cec003c8ed..398ea1db6a 100644 --- a/terraform/gcp/security/gcp-gke-master-authz-networks-enabled.yaml +++ b/terraform/gcp/security/gcp-gke-master-authz-networks-enabled.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-monitoring-enabled.yaml b/terraform/gcp/security/gcp-gke-monitoring-enabled.yaml index 67023e4a03..c6c00faa6b 100644 --- a/terraform/gcp/security/gcp-gke-monitoring-enabled.yaml +++ b/terraform/gcp/security/gcp-gke-monitoring-enabled.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-gke-network-policy-enabled.yaml b/terraform/gcp/security/gcp-gke-network-policy-enabled.yaml index a4910039a5..0b2817c11b 100644 --- a/terraform/gcp/security/gcp-gke-network-policy-enabled.yaml +++ b/terraform/gcp/security/gcp-gke-network-policy-enabled.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-nodepool-integrity-monitoring.yaml b/terraform/gcp/security/gcp-gke-nodepool-integrity-monitoring.yaml index 8cad09277d..f7d74e3db0 100644 --- a/terraform/gcp/security/gcp-gke-nodepool-integrity-monitoring.yaml +++ b/terraform/gcp/security/gcp-gke-nodepool-integrity-monitoring.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-gke-pod-security-policy-enabled.yaml b/terraform/gcp/security/gcp-gke-pod-security-policy-enabled.yaml index f7527fbe7e..90674f771a 100644 --- a/terraform/gcp/security/gcp-gke-pod-security-policy-enabled.yaml +++ b/terraform/gcp/security/gcp-gke-pod-security-policy-enabled.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-private-cluster-config.yaml b/terraform/gcp/security/gcp-gke-private-cluster-config.yaml index 3c457beb74..e03fb6bea8 100644 --- a/terraform/gcp/security/gcp-gke-private-cluster-config.yaml +++ b/terraform/gcp/security/gcp-gke-private-cluster-config.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-gke-public-control-plane.yaml b/terraform/gcp/security/gcp-gke-public-control-plane.yaml index c1fa20f8a2..0e4a6cafb2 100644 --- a/terraform/gcp/security/gcp-gke-public-control-plane.yaml +++ b/terraform/gcp/security/gcp-gke-public-control-plane.yaml @@ -24,6 +24,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-insecure-load-balancer-tls-version.yaml b/terraform/gcp/security/gcp-insecure-load-balancer-tls-version.yaml index f18c859aca..9e5741e420 100644 --- a/terraform/gcp/security/gcp-insecure-load-balancer-tls-version.yaml +++ b/terraform/gcp/security/gcp-insecure-load-balancer-tls-version.yaml @@ -25,6 +25,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures technology: - gcp - terraform diff --git a/terraform/gcp/security/gcp-kms-prevent-destroy.yaml b/terraform/gcp/security/gcp-kms-prevent-destroy.yaml index 4e4d348aba..283c5b65ed 100644 --- a/terraform/gcp/security/gcp-kms-prevent-destroy.yaml +++ b/terraform/gcp/security/gcp-kms-prevent-destroy.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-memory-store-for-redis-auth-enabled.yaml b/terraform/gcp/security/gcp-memory-store-for-redis-auth-enabled.yaml index 8045e2530d..4559e40e60 100644 --- a/terraform/gcp/security/gcp-memory-store-for-redis-auth-enabled.yaml +++ b/terraform/gcp/security/gcp-memory-store-for-redis-auth-enabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-memory-store-for-redis-intransit-encryption.yaml b/terraform/gcp/security/gcp-memory-store-for-redis-intransit-encryption.yaml index 60735ea15d..e25de8ebee 100644 --- a/terraform/gcp/security/gcp-memory-store-for-redis-intransit-encryption.yaml +++ b/terraform/gcp/security/gcp-memory-store-for-redis-intransit-encryption.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-org-impersonation-roles-iam-binding.yaml b/terraform/gcp/security/gcp-org-impersonation-roles-iam-binding.yaml index 1fb17a52b8..422f414172 100644 --- a/terraform/gcp/security/gcp-org-impersonation-roles-iam-binding.yaml +++ b/terraform/gcp/security/gcp-org-impersonation-roles-iam-binding.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-org-impersonation-roles-iam-member.yaml b/terraform/gcp/security/gcp-org-impersonation-roles-iam-member.yaml index 438e4fa894..7fa483d73f 100644 --- a/terraform/gcp/security/gcp-org-impersonation-roles-iam-member.yaml +++ b/terraform/gcp/security/gcp-org-impersonation-roles-iam-member.yaml @@ -16,6 +16,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-org-member-default-service-account-iam-binding.yaml b/terraform/gcp/security/gcp-org-member-default-service-account-iam-binding.yaml index e495a363e6..234f704097 100644 --- a/terraform/gcp/security/gcp-org-member-default-service-account-iam-binding.yaml +++ b/terraform/gcp/security/gcp-org-member-default-service-account-iam-binding.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-org-member-default-service-account-iam-member.yaml b/terraform/gcp/security/gcp-org-member-default-service-account-iam-member.yaml index 1815145229..767fa5ef1a 100644 --- a/terraform/gcp/security/gcp-org-member-default-service-account-iam-member.yaml +++ b/terraform/gcp/security/gcp-org-member-default-service-account-iam-member.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-project-default-network.yaml b/terraform/gcp/security/gcp-project-default-network.yaml index 627a2339db..06143b4129 100644 --- a/terraform/gcp/security/gcp-project-default-network.yaml +++ b/terraform/gcp/security/gcp-project-default-network.yaml @@ -19,6 +19,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-project-member-default-service-account-iam-binding.yaml b/terraform/gcp/security/gcp-project-member-default-service-account-iam-binding.yaml index 3b960ed534..8d9314f2fb 100644 --- a/terraform/gcp/security/gcp-project-member-default-service-account-iam-binding.yaml +++ b/terraform/gcp/security/gcp-project-member-default-service-account-iam-binding.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-project-member-default-service-account-iam-member.yaml b/terraform/gcp/security/gcp-project-member-default-service-account-iam-member.yaml index 286edc7833..4e4b017037 100644 --- a/terraform/gcp/security/gcp-project-member-default-service-account-iam-member.yaml +++ b/terraform/gcp/security/gcp-project-member-default-service-account-iam-member.yaml @@ -17,6 +17,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-project-service-account-user-iam-binding.yaml b/terraform/gcp/security/gcp-project-service-account-user-iam-binding.yaml index cbc77c6684..1cfdfe6a8d 100644 --- a/terraform/gcp/security/gcp-project-service-account-user-iam-binding.yaml +++ b/terraform/gcp/security/gcp-project-service-account-user-iam-binding.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-project-service-account-user-iam-member.yaml b/terraform/gcp/security/gcp-project-service-account-user-iam-member.yaml index 81cdb085de..1ff823aab7 100644 --- a/terraform/gcp/security/gcp-project-service-account-user-iam-member.yaml +++ b/terraform/gcp/security/gcp-project-service-account-user-iam-member.yaml @@ -22,6 +22,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-pubsub-private-topic-iam-binding.yaml b/terraform/gcp/security/gcp-pubsub-private-topic-iam-binding.yaml index a555454a8a..e63530e22a 100644 --- a/terraform/gcp/security/gcp-pubsub-private-topic-iam-binding.yaml +++ b/terraform/gcp/security/gcp-pubsub-private-topic-iam-binding.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-pubsub-private-topic-iam-member.yaml b/terraform/gcp/security/gcp-pubsub-private-topic-iam-member.yaml index 6713277384..97669b4604 100644 --- a/terraform/gcp/security/gcp-pubsub-private-topic-iam-member.yaml +++ b/terraform/gcp/security/gcp-pubsub-private-topic-iam-member.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-run-private-service-iam-binding.yaml b/terraform/gcp/security/gcp-run-private-service-iam-binding.yaml index 7b3e971e63..f9373f8fd2 100644 --- a/terraform/gcp/security/gcp-run-private-service-iam-binding.yaml +++ b/terraform/gcp/security/gcp-run-private-service-iam-binding.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-run-private-service-iam-member.yaml b/terraform/gcp/security/gcp-run-private-service-iam-member.yaml index 7b35756e07..d07404ca1b 100644 --- a/terraform/gcp/security/gcp-run-private-service-iam-member.yaml +++ b/terraform/gcp/security/gcp-run-private-service-iam-member.yaml @@ -21,6 +21,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml index c173358049..b3bb42c44c 100644 --- a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml +++ b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml @@ -32,6 +32,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml index 6bed95a5c0..4afb9b358a 100644 --- a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml @@ -39,6 +39,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml index a2770d385c..c9cf000979 100644 --- a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml @@ -39,6 +39,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security diff --git a/terraform/gcp/security/gcp-sql-public-database.yaml b/terraform/gcp/security/gcp-sql-public-database.yaml index c024e83aae..d2b23343e8 100644 --- a/terraform/gcp/security/gcp-sql-public-database.yaml +++ b/terraform/gcp/security/gcp-sql-public-database.yaml @@ -41,6 +41,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-sqlserver-no-public-ip.yaml b/terraform/gcp/security/gcp-sqlserver-no-public-ip.yaml index 6fbba8eaa8..4b378252dc 100644 --- a/terraform/gcp/security/gcp-sqlserver-no-public-ip.yaml +++ b/terraform/gcp/security/gcp-sqlserver-no-public-ip.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-storage-bucket-not-public-iam-binding.yaml b/terraform/gcp/security/gcp-storage-bucket-not-public-iam-binding.yaml index 87a335439c..403c8957bc 100644 --- a/terraform/gcp/security/gcp-storage-bucket-not-public-iam-binding.yaml +++ b/terraform/gcp/security/gcp-storage-bucket-not-public-iam-binding.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-storage-bucket-not-public-iam-member.yaml b/terraform/gcp/security/gcp-storage-bucket-not-public-iam-member.yaml index 97f042a550..bd38302e1c 100644 --- a/terraform/gcp/security/gcp-storage-bucket-not-public-iam-member.yaml +++ b/terraform/gcp/security/gcp-storage-bucket-not-public-iam-member.yaml @@ -14,6 +14,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-storage-bucket-uniform-access.yaml b/terraform/gcp/security/gcp-storage-bucket-uniform-access.yaml index 239b6bc8be..0fc4be0b85 100644 --- a/terraform/gcp/security/gcp-storage-bucket-uniform-access.yaml +++ b/terraform/gcp/security/gcp-storage-bucket-uniform-access.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-sub-network-logging-enabled.yaml b/terraform/gcp/security/gcp-sub-network-logging-enabled.yaml index b196e52e14..7ec4e1c00b 100644 --- a/terraform/gcp/security/gcp-sub-network-logging-enabled.yaml +++ b/terraform/gcp/security/gcp-sub-network-logging-enabled.yaml @@ -20,6 +20,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: diff --git a/terraform/gcp/security/gcp-sub-network-private-google-enabled.yaml b/terraform/gcp/security/gcp-sub-network-private-google-enabled.yaml index 53801ba875..bd554877a8 100644 --- a/terraform/gcp/security/gcp-sub-network-private-google-enabled.yaml +++ b/terraform/gcp/security/gcp-sub-network-private-google-enabled.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/gcp/security/gcp-vertexai-private-instance.yaml b/terraform/gcp/security/gcp-vertexai-private-instance.yaml index 223ad8f6c1..72274932f4 100644 --- a/terraform/gcp/security/gcp-vertexai-private-instance.yaml +++ b/terraform/gcp/security/gcp-vertexai-private-instance.yaml @@ -18,6 +18,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security diff --git a/terraform/lang/security/ec2-imdsv1-optional.yaml b/terraform/lang/security/ec2-imdsv1-optional.yaml index a53e24678e..bac5efdc47 100644 --- a/terraform/lang/security/ec2-imdsv1-optional.yaml +++ b/terraform/lang/security/ec2-imdsv1-optional.yaml @@ -16,6 +16,7 @@ rules: - aws owasp: - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/terraform/lang/security/ecr-image-scan-on-push.yaml b/terraform/lang/security/ecr-image-scan-on-push.yaml index ea3fa364d9..ab08b9de06 100644 --- a/terraform/lang/security/ecr-image-scan-on-push.yaml +++ b/terraform/lang/security/ecr-image-scan-on-push.yaml @@ -30,6 +30,7 @@ rules: - aws owasp: - A06:2021 - Vulnerable and Outdated Components + - A03:2025 - Software Supply Chain Failures references: - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components subcategory: diff --git a/terraform/lang/security/eks-insufficient-control-plane-logging.yaml b/terraform/lang/security/eks-insufficient-control-plane-logging.yaml index a0cde72c61..4c3a2933de 100644 --- a/terraform/lang/security/eks-insufficient-control-plane-logging.yaml +++ b/terraform/lang/security/eks-insufficient-control-plane-logging.yaml @@ -38,6 +38,7 @@ rules: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures + - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/eks-public-endpoint-enabled.yaml b/terraform/lang/security/eks-public-endpoint-enabled.yaml index 2ede623ffc..26669f66c9 100644 --- a/terraform/lang/security/eks-public-endpoint-enabled.yaml +++ b/terraform/lang/security/eks-public-endpoint-enabled.yaml @@ -29,6 +29,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2021-top25: true diff --git a/terraform/lang/security/elastic-search-encryption-at-rest.yaml b/terraform/lang/security/elastic-search-encryption-at-rest.yaml index b91f1560fa..b0c071dbec 100644 --- a/terraform/lang/security/elastic-search-encryption-at-rest.yaml +++ b/terraform/lang/security/elastic-search-encryption-at-rest.yaml @@ -30,6 +30,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/terraform/lang/security/iam/no-iam-admin-privileges.yaml b/terraform/lang/security/iam/no-iam-admin-privileges.yaml index db11f11053..7026421f0f 100644 --- a/terraform/lang/security/iam/no-iam-admin-privileges.yaml +++ b/terraform/lang/security/iam/no-iam-admin-privileges.yaml @@ -83,6 +83,7 @@ rules: - aws owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/iam/no-iam-creds-exposure.yaml b/terraform/lang/security/iam/no-iam-creds-exposure.yaml index 49eeaa1f39..413f3301eb 100644 --- a/terraform/lang/security/iam/no-iam-creds-exposure.yaml +++ b/terraform/lang/security/iam/no-iam-creds-exposure.yaml @@ -164,6 +164,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit diff --git a/terraform/lang/security/iam/no-iam-data-exfiltration.yaml b/terraform/lang/security/iam/no-iam-data-exfiltration.yaml index 096ad0c2cd..15d09de36a 100644 --- a/terraform/lang/security/iam/no-iam-data-exfiltration.yaml +++ b/terraform/lang/security/iam/no-iam-data-exfiltration.yaml @@ -105,6 +105,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit diff --git a/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml b/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml index 45b1b93dfc..0044f60ba5 100644 --- a/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml +++ b/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml @@ -98,6 +98,7 @@ rules: - aws owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml b/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml index 68872fc664..2c8f1058f0 100644 --- a/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml +++ b/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml @@ -122,6 +122,7 @@ rules: - aws owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/iam/no-iam-resource-exposure.yaml b/terraform/lang/security/iam/no-iam-resource-exposure.yaml index 9125090870..0071516264 100644 --- a/terraform/lang/security/iam/no-iam-resource-exposure.yaml +++ b/terraform/lang/security/iam/no-iam-resource-exposure.yaml @@ -782,6 +782,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit diff --git a/terraform/lang/security/iam/no-iam-star-actions.yaml b/terraform/lang/security/iam/no-iam-star-actions.yaml index 01bd7135ae..ee3a0c4457 100644 --- a/terraform/lang/security/iam/no-iam-star-actions.yaml +++ b/terraform/lang/security/iam/no-iam-star-actions.yaml @@ -80,6 +80,7 @@ rules: - aws owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/rds-insecure-password-storage-in-source-code.yaml b/terraform/lang/security/rds-insecure-password-storage-in-source-code.yaml index 4bfa980a15..276f13ac76 100644 --- a/terraform/lang/security/rds-insecure-password-storage-in-source-code.yaml +++ b/terraform/lang/security/rds-insecure-password-storage-in-source-code.yaml @@ -35,6 +35,7 @@ rules: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design + - A06:2025 - Insecure Design cwe2021-top25: true subcategory: - vuln diff --git a/terraform/lang/security/rds-public-access.yaml b/terraform/lang/security/rds-public-access.yaml index 8571d9239d..80d97e6096 100644 --- a/terraform/lang/security/rds-public-access.yaml +++ b/terraform/lang/security/rds-public-access.yaml @@ -23,6 +23,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/s3-cors-all-origins.yaml b/terraform/lang/security/s3-cors-all-origins.yaml index 2c3c473855..501894fa21 100644 --- a/terraform/lang/security/s3-cors-all-origins.yaml +++ b/terraform/lang/security/s3-cors-all-origins.yaml @@ -18,6 +18,7 @@ rules: - aws owasp: - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/terraform/lang/security/s3-public-read-bucket.yaml b/terraform/lang/security/s3-public-read-bucket.yaml index e6ea85658e..0819a56094 100644 --- a/terraform/lang/security/s3-public-read-bucket.yaml +++ b/terraform/lang/security/s3-public-read-bucket.yaml @@ -26,6 +26,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit diff --git a/terraform/lang/security/s3-public-rw-bucket.yaml b/terraform/lang/security/s3-public-rw-bucket.yaml index 6cdbea4606..528ef19b92 100644 --- a/terraform/lang/security/s3-public-rw-bucket.yaml +++ b/terraform/lang/security/s3-public-rw-bucket.yaml @@ -17,6 +17,7 @@ rules: - aws owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - vuln diff --git a/terraform/lang/security/s3-unencrypted-bucket.yaml b/terraform/lang/security/s3-unencrypted-bucket.yaml index c421a855fc..f48a21c6f0 100644 --- a/terraform/lang/security/s3-unencrypted-bucket.yaml +++ b/terraform/lang/security/s3-unencrypted-bucket.yaml @@ -23,6 +23,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: MEDIUM diff --git a/typescript/angular/security/audit/angular-domsanitizer.yaml b/typescript/angular/security/audit/angular-domsanitizer.yaml index a62133be6f..04b1260148 100644 --- a/typescript/angular/security/audit/angular-domsanitizer.yaml +++ b/typescript/angular/security/audit/angular-domsanitizer.yaml @@ -15,6 +15,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection confidence: MEDIUM category: security technology: diff --git a/typescript/aws-cdk/security/audit/awscdk-bucket-encryption.yml b/typescript/aws-cdk/security/audit/awscdk-bucket-encryption.yml index aca24e43bd..54f1567b1a 100644 --- a/typescript/aws-cdk/security/audit/awscdk-bucket-encryption.yml +++ b/typescript/aws-cdk/security/audit/awscdk-bucket-encryption.yml @@ -15,6 +15,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW diff --git a/typescript/aws-cdk/security/audit/awscdk-bucket-enforcessl.yml b/typescript/aws-cdk/security/audit/awscdk-bucket-enforcessl.yml index 84538c155e..0204da3c9a 100644 --- a/typescript/aws-cdk/security/audit/awscdk-bucket-enforcessl.yml +++ b/typescript/aws-cdk/security/audit/awscdk-bucket-enforcessl.yml @@ -13,6 +13,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM diff --git a/typescript/aws-cdk/security/audit/awscdk-sqs-unencryptedqueue.yml b/typescript/aws-cdk/security/audit/awscdk-sqs-unencryptedqueue.yml index 15e2007249..fd336478c4 100644 --- a/typescript/aws-cdk/security/audit/awscdk-sqs-unencryptedqueue.yml +++ b/typescript/aws-cdk/security/audit/awscdk-sqs-unencryptedqueue.yml @@ -14,6 +14,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW diff --git a/typescript/aws-cdk/security/awscdk-bucket-grantpublicaccessmethod.yml b/typescript/aws-cdk/security/awscdk-bucket-grantpublicaccessmethod.yml index 2725ea5794..5686765570 100644 --- a/typescript/aws-cdk/security/awscdk-bucket-grantpublicaccessmethod.yml +++ b/typescript/aws-cdk/security/awscdk-bucket-grantpublicaccessmethod.yml @@ -12,6 +12,7 @@ rules: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/typescript/aws-cdk/security/awscdk-codebuild-project-public.yml b/typescript/aws-cdk/security/awscdk-codebuild-project-public.yml index 19956725b1..61b50c383d 100644 --- a/typescript/aws-cdk/security/awscdk-codebuild-project-public.yml +++ b/typescript/aws-cdk/security/awscdk-codebuild-project-public.yml @@ -13,6 +13,7 @@ rules: - https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/typescript/lang/security/audit/cors-regex-wildcard.yaml b/typescript/lang/security/audit/cors-regex-wildcard.yaml index bd70eb7594..4f959a99da 100644 --- a/typescript/lang/security/audit/cors-regex-wildcard.yaml +++ b/typescript/lang/security/audit/cors-regex-wildcard.yaml @@ -9,6 +9,7 @@ rules: - cors owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/typescript/nestjs/security/audit/nestjs-header-cors-any.yaml b/typescript/nestjs/security/audit/nestjs-header-cors-any.yaml index 5078594eeb..304dacc0a7 100644 --- a/typescript/nestjs/security/audit/nestjs-header-cors-any.yaml +++ b/typescript/nestjs/security/audit/nestjs-header-cors-any.yaml @@ -16,6 +16,7 @@ rules: - nestjs owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: diff --git a/typescript/nestjs/security/audit/nestjs-header-xss-disabled.yaml b/typescript/nestjs/security/audit/nestjs-header-xss-disabled.yaml index 0d7a466747..8fa2d342c8 100644 --- a/typescript/nestjs/security/audit/nestjs-header-xss-disabled.yaml +++ b/typescript/nestjs/security/audit/nestjs-header-xss-disabled.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true diff --git a/typescript/nestjs/security/audit/nestjs-open-redirect.yaml b/typescript/nestjs/security/audit/nestjs-open-redirect.yaml index 90666d4623..5865bf6328 100644 --- a/typescript/nestjs/security/audit/nestjs-open-redirect.yaml +++ b/typescript/nestjs/security/audit/nestjs-open-redirect.yaml @@ -10,6 +10,7 @@ rules: - nestjs owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: diff --git a/typescript/react/security/audit/react-dangerouslysetinnerhtml.yaml b/typescript/react/security/audit/react-dangerouslysetinnerhtml.yaml index a66a5b21de..06c26cc17f 100644 --- a/typescript/react/security/audit/react-dangerouslysetinnerhtml.yaml +++ b/typescript/react/security/audit/react-dangerouslysetinnerhtml.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html category: security diff --git a/typescript/react/security/audit/react-href-var.yaml b/typescript/react/security/audit/react-href-var.yaml index e4bdb68ba0..eb68e56822 100644 --- a/typescript/react/security/audit/react-href-var.yaml +++ b/typescript/react/security/audit/react-href-var.yaml @@ -12,6 +12,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://reactjs.org/blog/2019/08/08/react-v16.9.0.html#deprecating-javascript-urls - https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part1.html diff --git a/typescript/react/security/audit/react-jwt-decoded-property.yaml b/typescript/react/security/audit/react-jwt-decoded-property.yaml index 7726d44e8d..4b9ba27280 100644 --- a/typescript/react/security/audit/react-jwt-decoded-property.yaml +++ b/typescript/react/security/audit/react-jwt-decoded-property.yaml @@ -10,6 +10,7 @@ rules: category: security owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - react subcategory: diff --git a/typescript/react/security/audit/react-jwt-in-localstorage.yaml b/typescript/react/security/audit/react-jwt-in-localstorage.yaml index 5ca063f359..c4b4bfe7ba 100644 --- a/typescript/react/security/audit/react-jwt-in-localstorage.yaml +++ b/typescript/react/security/audit/react-jwt-in-localstorage.yaml @@ -11,6 +11,7 @@ rules: category: security owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control technology: - react subcategory: diff --git a/typescript/react/security/audit/react-unsanitized-method.yaml b/typescript/react/security/audit/react-unsanitized-method.yaml index 6a1f8d6fd5..245d72d3d2 100644 --- a/typescript/react/security/audit/react-unsanitized-method.yaml +++ b/typescript/react/security/audit/react-unsanitized-method.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln - https://developer.mozilla.org/en-US/docs/Web/API/Document/write diff --git a/typescript/react/security/audit/react-unsanitized-property.yaml b/typescript/react/security/audit/react-unsanitized-property.yaml index 6dc36f86b3..555f2d3076 100644 --- a/typescript/react/security/audit/react-unsanitized-property.yaml +++ b/typescript/react/security/audit/react-unsanitized-property.yaml @@ -11,6 +11,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html category: security diff --git a/typescript/react/security/react-insecure-request.yaml b/typescript/react/security/react-insecure-request.yaml index dc6356a1d8..94fbe9dbd9 100644 --- a/typescript/react/security/react-insecure-request.yaml +++ b/typescript/react/security/react-insecure-request.yaml @@ -7,6 +7,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: diff --git a/typescript/react/security/react-markdown-insecure-html.yaml b/typescript/react/security/react-markdown-insecure-html.yaml index ed0a630df3..df5cb6fe39 100644 --- a/typescript/react/security/react-markdown-insecure-html.yaml +++ b/typescript/react/security/react-markdown-insecure-html.yaml @@ -9,6 +9,7 @@ rules: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection + - A05:2025 - Injection references: - https://www.npmjs.com/package/react-markdown#security category: security diff --git a/yaml/docker-compose/security/exposing-docker-socket-volume.yaml b/yaml/docker-compose/security/exposing-docker-socket-volume.yaml index 6f39292d56..098f68c992 100644 --- a/yaml/docker-compose/security/exposing-docker-socket-volume.yaml +++ b/yaml/docker-compose/security/exposing-docker-socket-volume.yaml @@ -66,6 +66,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW diff --git a/yaml/docker-compose/security/no-new-privileges.yaml b/yaml/docker-compose/security/no-new-privileges.yaml index a0b48a49da..92f429afea 100644 --- a/yaml/docker-compose/security/no-new-privileges.yaml +++ b/yaml/docker-compose/security/no-new-privileges.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/ - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt diff --git a/yaml/docker-compose/security/privileged-service.yaml b/yaml/docker-compose/security/privileged-service.yaml index a541005ef9..3e314fb3ec 100644 --- a/yaml/docker-compose/security/privileged-service.yaml +++ b/yaml/docker-compose/security/privileged-service.yaml @@ -26,6 +26,7 @@ rules: owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html - https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/ diff --git a/yaml/docker-compose/security/seccomp-confinement-disabled.yaml b/yaml/docker-compose/security/seccomp-confinement-disabled.yaml index b3b5841bb4..b77e605f42 100644 --- a/yaml/docker-compose/security/seccomp-confinement-disabled.yaml +++ b/yaml/docker-compose/security/seccomp-confinement-disabled.yaml @@ -28,6 +28,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/yaml/docker-compose/security/selinux-separation-disabled.yaml b/yaml/docker-compose/security/selinux-separation-disabled.yaml index b8201b1499..5a7a048748 100644 --- a/yaml/docker-compose/security/selinux-separation-disabled.yaml +++ b/yaml/docker-compose/security/selinux-separation-disabled.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW diff --git a/yaml/docker-compose/security/writable-filesystem-service.yaml b/yaml/docker-compose/security/writable-filesystem-service.yaml index e5d8fc03d8..1d1094f7a7 100644 --- a/yaml/docker-compose/security/writable-filesystem-service.yaml +++ b/yaml/docker-compose/security/writable-filesystem-service.yaml @@ -30,6 +30,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir - https://blog.atomist.com/security-of-docker-kubernetes/ diff --git a/yaml/github-actions/security/curl-eval.yaml b/yaml/github-actions/security/curl-eval.yaml index 551af192af..3560c4aaee 100644 --- a/yaml/github-actions/security/curl-eval.yaml +++ b/yaml/github-actions/security/curl-eval.yaml @@ -13,6 +13,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections technology: diff --git a/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml b/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml index 6082607f94..f4ddde6ddd 100644 --- a/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml +++ b/yaml/github-actions/security/detect-shai-hulud-backdoor.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection technology: - github-actions cwe2022-top25: true diff --git a/yaml/github-actions/security/github-script-injection.yaml b/yaml/github-actions/security/github-script-injection.yaml index 2c2e9a5a7e..b3b95e2ee6 100644 --- a/yaml/github-actions/security/github-script-injection.yaml +++ b/yaml/github-actions/security/github-script-injection.yaml @@ -18,6 +18,7 @@ rules: - "CWE-94: Improper Control of Generation of Code ('Code Injection')" owasp: - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections - https://securitylab.github.com/research/github-actions-untrusted-input/ diff --git a/yaml/github-actions/security/pull-request-target-code-checkout.yaml b/yaml/github-actions/security/pull-request-target-code-checkout.yaml index 9c8888f0e2..bfbf2f016f 100644 --- a/yaml/github-actions/security/pull-request-target-code-checkout.yaml +++ b/yaml/github-actions/security/pull-request-target-code-checkout.yaml @@ -20,6 +20,7 @@ rules: category: security owasp: - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control cwe: - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' references: diff --git a/yaml/github-actions/security/run-shell-injection.test.yaml b/yaml/github-actions/security/run-shell-injection.test.yaml index 11f7f74f83..7e47e70030 100644 --- a/yaml/github-actions/security/run-shell-injection.test.yaml +++ b/yaml/github-actions/security/run-shell-injection.test.yaml @@ -137,3 +137,33 @@ jobs: # ok: run-shell-injection run: | echo "${{ steps.shell_command.outputs.some_value }}" + + # ruleid: run-shell-injection + - run: echo "${{ github.head_ref || 'default' }}" + + # ruleid: run-shell-injection + - run: echo "${{ foo && github.head_ref }}" + + # ruleid: run-shell-injection + - run: echo "${{ foo && github.head_ref || 'default' }}" + + # ruleid: run-shell-injection + - run: echo "${{ foo || github.head_ref }}" + + # ruleid: run-shell-injection + - run: echo "${{ foo || github.head_ref || bar }}" + + # ok: run-shell-injection + - run: echo "${{ github.head_ref && 'yes' }}" + + # ok: run-shell-injection + - run: echo "${{ github.head_ref && foo || bar }}" + + # ok: run-shell-injection + - run: echo "${{ foo || github.head_ref && bar }}" + + # ok: run-shell-injection + - run: echo "${{ github.sha }}" + + # ok: run-shell-injection + - run: echo "${{ github.repository }}" diff --git a/yaml/github-actions/security/run-shell-injection.yaml b/yaml/github-actions/security/run-shell-injection.yaml index 86c869dc32..76a6b088f4 100644 --- a/yaml/github-actions/security/run-shell-injection.yaml +++ b/yaml/github-actions/security/run-shell-injection.yaml @@ -14,6 +14,7 @@ rules: owasp: - A01:2017 - Injection - A03:2021 - Injection + - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections - https://securitylab.github.com/research/github-actions-untrusted-input/ @@ -37,25 +38,43 @@ rules: metavariable: $SHELL patterns: - pattern-either: - - pattern: ${{ github.event.issue.title }} - - pattern: ${{ github.event.issue.body }} - - pattern: ${{ github.event.pull_request.title }} - - pattern: ${{ github.event.pull_request.body }} - - pattern: ${{ github.event.comment.body }} - - pattern: ${{ github.event.review.body }} - - pattern: ${{ github.event.review_comment.body }} - - pattern: ${{ github.event.pages. ... .page_name}} - - pattern: ${{ github.event.head_commit.message }} - - pattern: ${{ github.event.head_commit.author.email }} - - pattern: ${{ github.event.head_commit.author.name }} - - pattern: ${{ github.event.commits ... .author.email }} - - pattern: ${{ github.event.commits ... .author.name }} - - pattern: ${{ github.event.pull_request.head.ref }} - - pattern: ${{ github.event.pull_request.head.label }} - - pattern: ${{ github.event.pull_request.head.repo.default_branch }} - - pattern: ${{ github.head_ref }} - - pattern: ${{ github.event.inputs ... }} - - pattern: ${{ github.event.discussion.title }} - - pattern: ${{ github.event.discussion.body }} - - pattern: ${{ inputs ... }} + - pattern: ${{ ... github.event.issue.title ... }} + - pattern: ${{ ... github.event.issue.body ... }} + - pattern: ${{ ... github.event.pull_request.title ... }} + - pattern: ${{ ... github.event.pull_request.body ... }} + - pattern: ${{ ... github.event.comment.body ... }} + - pattern: ${{ ... github.event.review.body ... }} + - pattern: ${{ ... github.event.review_comment.body ... }} + - pattern: ${{ ... github.event.pages ... .page_name ... }} + - pattern: ${{ ... github.event.head_commit.message ... }} + - pattern: ${{ ... github.event.head_commit.author.email ... }} + - pattern: ${{ ... github.event.head_commit.author.name ... }} + - pattern: ${{ ... github.event.commits ... .author.email ... }} + - pattern: ${{ ... github.event.commits ... .author.name ... }} + - pattern: ${{ ... github.event.pull_request.head.ref ... }} + - pattern: ${{ ... github.event.pull_request.head.label ... }} + - pattern: ${{ ... github.event.pull_request.head.repo.default_branch ... }} + - pattern: ${{ ... github.head_ref ... }} + - pattern: ${{ ... github.event.inputs ... }} + - pattern: ${{ ... github.event.discussion.title ... }} + - pattern: ${{ ... github.event.discussion.body ... }} + - pattern: ${{ ... inputs ... }} + # Exclude safe patterns where variable is only checked for truthiness (left of &&) + # e.g., ${{ github.head_ref && 'literal' }} is safe - value not interpolated + - pattern-not: ${{ ... github.event.issue.title && ... }} + - pattern-not: ${{ ... github.event.issue.body && ... }} + - pattern-not: ${{ ... github.event.pull_request.title && ... }} + - pattern-not: ${{ ... github.event.pull_request.body && ... }} + - pattern-not: ${{ ... github.event.comment.body && ... }} + - pattern-not: ${{ ... github.event.review.body && ... }} + - pattern-not: ${{ ... github.event.review_comment.body && ... }} + - pattern-not: ${{ ... github.event.head_commit.message && ... }} + - pattern-not: ${{ ... github.event.head_commit.author.email && ... }} + - pattern-not: ${{ ... github.event.head_commit.author.name && ... }} + - pattern-not: ${{ ... github.event.pull_request.head.ref && ... }} + - pattern-not: ${{ ... github.event.pull_request.head.label && ... }} + - pattern-not: ${{ ... github.event.pull_request.head.repo.default_branch && ... }} + - pattern-not: ${{ ... github.head_ref && ... }} + - pattern-not: ${{ ... github.event.discussion.title && ... }} + - pattern-not: ${{ ... github.event.discussion.body && ... }} severity: ERROR diff --git a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml index 2a234442d8..12b9e8aba0 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml @@ -41,6 +41,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ diff --git a/yaml/kubernetes/security/allow-privilege-escalation-true.yaml b/yaml/kubernetes/security/allow-privilege-escalation-true.yaml index dda3c157c8..2c795dc4e3 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation-true.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation-true.yaml @@ -39,6 +39,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ diff --git a/yaml/kubernetes/security/allow-privilege-escalation.yaml b/yaml/kubernetes/security/allow-privilege-escalation.yaml index 324c2b6332..c1a7846837 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation.yaml @@ -47,6 +47,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ diff --git a/yaml/kubernetes/security/hostpid-pod.yaml b/yaml/kubernetes/security/hostpid-pod.yaml index ed7fcd9a01..cd5c52324e 100644 --- a/yaml/kubernetes/security/hostpid-pod.yaml +++ b/yaml/kubernetes/security/hostpid-pod.yaml @@ -20,6 +20,7 @@ rules: - kubernetes owasp: - A04:2021 - Insecure Design + - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW diff --git a/yaml/kubernetes/security/legacy-api-clusterrole-excessive-permissions.yaml b/yaml/kubernetes/security/legacy-api-clusterrole-excessive-permissions.yaml index 4efcb18a3c..ee768a95b9 100644 --- a/yaml/kubernetes/security/legacy-api-clusterrole-excessive-permissions.yaml +++ b/yaml/kubernetes/security/legacy-api-clusterrole-excessive-permissions.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole - https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice diff --git a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml index 4319b4c5b9..9a5c948e1e 100644 --- a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml +++ b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml @@ -77,6 +77,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: diff --git a/yaml/kubernetes/security/run-as-non-root-container-level.yaml b/yaml/kubernetes/security/run-as-non-root-container-level.yaml index f2eefcb3de..63b2bd98b9 100644 --- a/yaml/kubernetes/security/run-as-non-root-container-level.yaml +++ b/yaml/kubernetes/security/run-as-non-root-container-level.yaml @@ -79,6 +79,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: diff --git a/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml b/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml index 59fc053a35..a8c479c65f 100644 --- a/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml +++ b/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml @@ -65,6 +65,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: diff --git a/yaml/kubernetes/security/run-as-non-root-unsafe-value.yaml b/yaml/kubernetes/security/run-as-non-root-unsafe-value.yaml index 1d520c853a..d773f4ca7b 100644 --- a/yaml/kubernetes/security/run-as-non-root-unsafe-value.yaml +++ b/yaml/kubernetes/security/run-as-non-root-unsafe-value.yaml @@ -49,6 +49,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration category: security technology: - kubernetes diff --git a/yaml/kubernetes/security/run-as-non-root.yaml b/yaml/kubernetes/security/run-as-non-root.yaml index f86bdb599f..e32d50ccab 100644 --- a/yaml/kubernetes/security/run-as-non-root.yaml +++ b/yaml/kubernetes/security/run-as-non-root.yaml @@ -65,6 +65,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: diff --git a/yaml/kubernetes/security/seccomp-confinement-disabled.yaml b/yaml/kubernetes/security/seccomp-confinement-disabled.yaml index 21eed934e2..584b8c1713 100644 --- a/yaml/kubernetes/security/seccomp-confinement-disabled.yaml +++ b/yaml/kubernetes/security/seccomp-confinement-disabled.yaml @@ -26,6 +26,7 @@ rules: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM diff --git a/yaml/kubernetes/security/secrets-in-config-file.yaml b/yaml/kubernetes/security/secrets-in-config-file.yaml index a92af232d7..0515d60161 100644 --- a/yaml/kubernetes/security/secrets-in-config-file.yaml +++ b/yaml/kubernetes/security/secrets-in-config-file.yaml @@ -33,6 +33,7 @@ rules: - https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/ owasp: - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/yaml/kubernetes/security/skip-tls-verify-cluster.yaml b/yaml/kubernetes/security/skip-tls-verify-cluster.yaml index 0baa04bb40..3e3a1803c0 100644 --- a/yaml/kubernetes/security/skip-tls-verify-cluster.yaml +++ b/yaml/kubernetes/security/skip-tls-verify-cluster.yaml @@ -19,6 +19,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM diff --git a/yaml/kubernetes/security/skip-tls-verify-service.yaml b/yaml/kubernetes/security/skip-tls-verify-service.yaml index 18ebe11669..05037c6cd7 100644 --- a/yaml/kubernetes/security/skip-tls-verify-service.yaml +++ b/yaml/kubernetes/security/skip-tls-verify-service.yaml @@ -19,6 +19,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM diff --git a/yaml/kubernetes/security/writable-filesystem-container.yaml b/yaml/kubernetes/security/writable-filesystem-container.yaml index 476775342e..b3ce662543 100644 --- a/yaml/kubernetes/security/writable-filesystem-container.yaml +++ b/yaml/kubernetes/security/writable-filesystem-container.yaml @@ -29,6 +29,7 @@ rules: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml index 61a9582b84..ef5ea24493 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml @@ -32,6 +32,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration technology: diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml index 2a3c3e67a4..b3d3cd890d 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml @@ -30,6 +30,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration technology: diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml index de60392bb9..24df32acd7 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml @@ -33,6 +33,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration technology: diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml index d5900f6375..23ab9eedd1 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml @@ -32,6 +32,7 @@ rules: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration technology: diff --git a/yaml/semgrep/metadata-deepsemgrep.test.yaml b/yaml/semgrep/metadata-deepsemgrep.test.yaml index b1a3360d59..39fbefd757 100644 --- a/yaml/semgrep/metadata-deepsemgrep.test.yaml +++ b/yaml/semgrep/metadata-deepsemgrep.test.yaml @@ -7,6 +7,7 @@ rules: metadata: owasp: - "A03:2021 - Injection" + - A05:2025 - Injection # ok: metadata-deepsemgrep interfile: true cwe: @@ -31,6 +32,7 @@ rules: metadata: owasp: - "A03:2021 - Injection" + - A05:2025 - Injection # ruleid: metadata-deepsemgrep deepsemgrep: true cwe: diff --git a/yaml/semgrep/metadata-incorrect-option.test.yaml b/yaml/semgrep/metadata-incorrect-option.test.yaml index 1870c8fcc6..74fe6340d3 100644 --- a/yaml/semgrep/metadata-incorrect-option.test.yaml +++ b/yaml/semgrep/metadata-incorrect-option.test.yaml @@ -16,6 +16,7 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design + - A06:2025 - Insecure Design references: - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/