JavaScript 和 TypeScript 的 CWE 覆盖率¶
最新版 CodeQL 中 JavaScript 和 TypeScript CWE 覆盖率的概述。
概述¶
| CWE | 语言 | 查询 ID | 查询名称 |
|---|---|---|---|
| CWE-20 | JavaScript/TypeScript | js/count-untrusted-data-external-api | 使用不可信数据调用外部 API 的频率统计 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-hostname-regexp | 主机名正则表达式不完整 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-url-scheme-check | URL 方案检查不完整 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-url-substring-sanitization | URL 子字符串清理不完整 |
| CWE-20 | JavaScript/TypeScript | js/incorrect-suffix-check | 后缀检查不正确 |
| CWE-20 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-20 | JavaScript/TypeScript | js/regex/missing-regexp-anchor | 缺少正则表达式锚点 |
| CWE-20 | JavaScript/TypeScript | js/overly-large-range | 过于宽松的正则表达式范围 |
| CWE-20 | JavaScript/TypeScript | js/untrusted-data-to-external-api | 向外部 API 传递不可信数据 |
| CWE-20 | JavaScript/TypeScript | js/useless-regexp-character-escape | 无用的正则表达式字符转义 |
| CWE-20 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-20 | JavaScript/TypeScript | js/double-escaping | 双重转义或反转义 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-20 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-20 | JavaScript/TypeScript | js/untrusted-data-to-external-api-more-sources | 向外部 API 传递不可信数据,并带有额外的启发式来源 |
| CWE-22 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-22 | JavaScript/TypeScript | js/zipslip | 在解压缩存档时存在任意文件访问(“Zip Slip”) |
| CWE-23 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-36 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-73 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-73 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-74 | JavaScript/TypeScript | js/disabling-electron-websecurity | 禁用 Electron webSecurity |
| CWE-74 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-74 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-74 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-74 | JavaScript/TypeScript | js/command-line-injection | 不受控制的命令行 |
| CWE-74 | JavaScript/TypeScript | js/indirect-command-line-injection | 间接不受控制的命令行 |
| CWE-74 | JavaScript/TypeScript | js/second-order-command-line-injection | 二阶命令注入 |
| CWE-74 | JavaScript/TypeScript | js/shell-command-injection-from-environment | 从环境变量构建的 Shell 命令 |
| CWE-74 | JavaScript/TypeScript | js/shell-command-constructed-from-input | 使用库输入构建的不安全的 Shell 命令 |
| CWE-74 | JavaScript/TypeScript | js/unnecessary-use-of-cat | 不必要地使用 cat 进程 |
| CWE-74 | JavaScript/TypeScript | js/xss-through-exception | 异常文本被重新解释为 HTML |
| CWE-74 | JavaScript/TypeScript | js/reflected-xss | 反射型跨站脚本攻击 |
| CWE-74 | JavaScript/TypeScript | js/stored-xss | 存储型跨站脚本攻击 |
| CWE-74 | JavaScript/TypeScript | js/html-constructed-from-input | 使用库输入构建的不安全的 HTML |
| CWE-74 | JavaScript/TypeScript | js/unsafe-jquery-plugin | 不安全的 jQuery 插件 |
| CWE-74 | JavaScript/TypeScript | js/xss | 客户端跨站脚本攻击 |
| CWE-74 | JavaScript/TypeScript | js/xss-through-dom | DOM 文本被重新解释为 HTML |
| CWE-74 | JavaScript/TypeScript | js/sql-injection | 使用用户控制的来源构建数据库查询 |
| CWE-74 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-74 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-74 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-74 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-74 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-74 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-74 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-74 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-74 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-74 | JavaScript/TypeScript | js/unsafe-html-expansion | 不安全的自闭合 HTML 标签扩展 |
| CWE-74 | JavaScript/TypeScript | js/tainted-format-string | 使用外部控制的格式字符串 |
| CWE-74 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-74 | JavaScript/TypeScript | js/xpath-injection | XPath 注入 |
| CWE-74 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-74 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-74 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-74 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-74 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-74 | JavaScript/TypeScript | js/env-key-and-value-injection | 用户控制的任意环境变量注入 |
| CWE-74 | JavaScript/TypeScript | js/env-value-injection | 用户控制的环境变量值注入 |
| CWE-74 | JavaScript/TypeScript | js/command-line-injection-more-sources | 不受控制的命令行,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/xss-more-sources | 客户端跨站脚本攻击,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/sql-injection-more-sources | 使用用户控制的来源构建数据库查询,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/tainted-format-string-more-sources | 使用外部控制的格式字符串,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/xpath-injection-more-sources | XPath 注入,并带有额外的启发式来源 |
| CWE-74 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-77 | JavaScript/TypeScript | js/command-line-injection | 不受控制的命令行 |
| CWE-77 | JavaScript/TypeScript | js/indirect-command-line-injection | 间接不受控制的命令行 |
| CWE-77 | JavaScript/TypeScript | js/second-order-command-line-injection | 二阶命令注入 |
| CWE-77 | JavaScript/TypeScript | js/shell-command-injection-from-environment | 从环境变量构建的 Shell 命令 |
| CWE-77 | JavaScript/TypeScript | js/shell-command-constructed-from-input | 使用库输入构建的不安全的 Shell 命令 |
| CWE-77 | JavaScript/TypeScript | js/unnecessary-use-of-cat | 不必要地使用 cat 进程 |
| CWE-77 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-77 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-77 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-77 | JavaScript/TypeScript | js/command-line-injection-more-sources | 不受控制的命令行,并带有额外的启发式来源 |
| CWE-77 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-78 | JavaScript/TypeScript | js/command-line-injection | 不受控制的命令行 |
| CWE-78 | JavaScript/TypeScript | js/indirect-command-line-injection | 间接不受控制的命令行 |
| CWE-78 | JavaScript/TypeScript | js/second-order-command-line-injection | 二阶命令注入 |
| CWE-78 | JavaScript/TypeScript | js/shell-command-injection-from-environment | 从环境变量构建的 Shell 命令 |
| CWE-78 | JavaScript/TypeScript | js/shell-command-constructed-from-input | 使用库输入构建的不安全的 Shell 命令 |
| CWE-78 | JavaScript/TypeScript | js/unnecessary-use-of-cat | 不必要地使用 cat 进程 |
| CWE-78 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-78 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-78 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-78 | JavaScript/TypeScript | js/command-line-injection-more-sources | 不受控制的命令行,并带有额外的启发式来源 |
| CWE-78 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-79 | JavaScript/TypeScript | js/disabling-electron-websecurity | 禁用 Electron webSecurity |
| CWE-79 | JavaScript/TypeScript | js/xss-through-exception | 异常文本被重新解释为 HTML |
| CWE-79 | JavaScript/TypeScript | js/reflected-xss | 反射型跨站脚本攻击 |
| CWE-79 | JavaScript/TypeScript | js/stored-xss | 存储型跨站脚本攻击 |
| CWE-79 | JavaScript/TypeScript | js/html-constructed-from-input | 使用库输入构建的不安全的 HTML |
| CWE-79 | JavaScript/TypeScript | js/unsafe-jquery-plugin | 不安全的 jQuery 插件 |
| CWE-79 | JavaScript/TypeScript | js/xss | 客户端跨站脚本攻击 |
| CWE-79 | JavaScript/TypeScript | js/xss-through-dom | DOM 文本被重新解释为 HTML |
| CWE-79 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-79 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-79 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-79 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-79 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-79 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-79 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-79 | JavaScript/TypeScript | js/unsafe-html-expansion | 不安全的自闭合 HTML 标签扩展 |
| CWE-79 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-79 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-79 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-79 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-79 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-79 | JavaScript/TypeScript | js/xss-more-sources | 客户端跨站脚本攻击,并带有额外的启发式来源 |
| CWE-79 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-79 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-80 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-80 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-80 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-88 | JavaScript/TypeScript | js/command-line-injection | 不受控制的命令行 |
| CWE-88 | JavaScript/TypeScript | js/indirect-command-line-injection | 间接不受控制的命令行 |
| CWE-88 | JavaScript/TypeScript | js/second-order-command-line-injection | 二阶命令注入 |
| CWE-88 | JavaScript/TypeScript | js/shell-command-injection-from-environment | 从环境变量构建的 Shell 命令 |
| CWE-88 | JavaScript/TypeScript | js/shell-command-constructed-from-input | 使用库输入构建的不安全的 Shell 命令 |
| CWE-88 | JavaScript/TypeScript | js/command-line-injection-more-sources | 不受控制的命令行,并带有额外的启发式来源 |
| CWE-89 | JavaScript/TypeScript | js/sql-injection | 使用用户控制的来源构建数据库查询 |
| CWE-89 | JavaScript/TypeScript | js/env-key-and-value-injection | 用户控制的任意环境变量注入 |
| CWE-89 | JavaScript/TypeScript | js/env-value-injection | 用户控制的环境变量值注入 |
| CWE-89 | JavaScript/TypeScript | js/sql-injection-more-sources | 使用用户控制的来源构建数据库查询,并带有额外的启发式来源 |
| CWE-90 | JavaScript/TypeScript | js/sql-injection | 使用用户控制的来源构建数据库查询 |
| CWE-90 | JavaScript/TypeScript | js/sql-injection-more-sources | 使用用户控制的来源构建数据库查询,并带有额外的启发式来源 |
| CWE-91 | JavaScript/TypeScript | js/xpath-injection | XPath 注入 |
| CWE-91 | JavaScript/TypeScript | js/xpath-injection-more-sources | XPath 注入,并带有额外的启发式来源 |
| CWE-94 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-94 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-94 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-94 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-94 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-94 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-94 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-94 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-94 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-94 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-94 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-94 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-94 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-94 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-95 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-95 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-95 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-99 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-116 | JavaScript/TypeScript | js/angular/disabling-sce | 禁用 SCE |
| CWE-116 | JavaScript/TypeScript | js/identity-replacement | 用自身替换子字符串 |
| CWE-116 | JavaScript/TypeScript | js/xss-through-exception | 异常文本被重新解释为 HTML |
| CWE-116 | JavaScript/TypeScript | js/reflected-xss | 反射型跨站脚本攻击 |
| CWE-116 | JavaScript/TypeScript | js/stored-xss | 存储型跨站脚本攻击 |
| CWE-116 | JavaScript/TypeScript | js/html-constructed-from-input | 使用库输入构建的不安全的 HTML |
| CWE-116 | JavaScript/TypeScript | js/unsafe-jquery-plugin | 不安全的 jQuery 插件 |
| CWE-116 | JavaScript/TypeScript | js/xss | 客户端跨站脚本攻击 |
| CWE-116 | JavaScript/TypeScript | js/xss-through-dom | DOM 文本被重新解释为 HTML |
| CWE-116 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-116 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-116 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-116 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-116 | JavaScript/TypeScript | js/double-escaping | 双重转义或反转义 |
| CWE-116 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-116 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-116 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-116 | JavaScript/TypeScript | js/unsafe-html-expansion | 不安全的自闭合 HTML 标签扩展 |
| CWE-116 | JavaScript/TypeScript | js/log-injection | 日志注入 |
| CWE-116 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-116 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-116 | JavaScript/TypeScript | js/xss-more-sources | 客户端跨站脚本攻击,并带有额外的启发式来源 |
| CWE-116 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-116 | JavaScript/TypeScript | js/log-injection-more-sources | 日志注入,并带有额外的启发式来源 |
| CWE-117 | JavaScript/TypeScript | js/log-injection | 日志注入 |
| CWE-117 | JavaScript/TypeScript | js/log-injection-more-sources | 日志注入,并带有额外的启发式来源 |
| CWE-134 | JavaScript/TypeScript | js/tainted-format-string | 使用外部控制的格式字符串 |
| CWE-134 | JavaScript/TypeScript | js/tainted-format-string-more-sources | 使用外部控制的格式字符串,并带有额外的启发式来源 |
| CWE-178 | JavaScript/TypeScript | js/case-sensitive-middleware-path | 区分大小写的中间件路径 |
| CWE-183 | JavaScript/TypeScript | js/angular/insecure-url-whitelist | 不安全的 URL 白名单 |
| CWE-183 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-183 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-183 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-184 | JavaScript/TypeScript | js/incomplete-url-scheme-check | URL 方案检查不完整 |
| CWE-184 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-185 | JavaScript/TypeScript | js/angular/insecure-url-whitelist | 不安全的 URL 白名单 |
| CWE-185 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-186 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-193 | JavaScript/TypeScript | js/index-out-of-bounds | 与长度比较时存在越界错误 |
| CWE-197 | JavaScript/TypeScript | js/shift-out-of-range | 移位范围超出界限 |
| CWE-200 | JavaScript/TypeScript | js/unsafe-external-link | 可能不安全的外部链接 |
| CWE-200 | JavaScript/TypeScript | js/file-access-to-http | 文件数据出现在出站网络请求中 |
| CWE-200 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-200 | JavaScript/TypeScript | js/cross-window-information-leak | 跨窗口通信没有限制目标来源 |
| CWE-200 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-200 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-200 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-200 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-200 | JavaScript/TypeScript | js/sensitive-get-query | 从 GET 请求中读取敏感数据 |
| CWE-201 | JavaScript/TypeScript | js/cross-window-information-leak | 跨窗口通信没有限制目标来源 |
| CWE-209 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-216 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-219 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-221 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-227 | JavaScript/TypeScript | js/superfluous-trailing-arguments | 多余的尾随参数 |
| CWE-227 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-248 | JavaScript/TypeScript | js/server-crash | 服务器崩溃 |
| CWE-250 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-250 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-256 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-258 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-259 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-260 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-260 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-269 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-269 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-284 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-284 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-284 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-284 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-284 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-284 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-284 | JavaScript/TypeScript | js/session-fixation | 未能放弃会话 |
| CWE-284 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-284 | JavaScript/TypeScript | js/host-header-forgery-in-email-generation | 在电子邮件生成中进行主机头欺骗 |
| CWE-284 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-284 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-284 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-284 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-284 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-284 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-284 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-284 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-284 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-284 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-285 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-285 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-285 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-285 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-287 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-287 | JavaScript/TypeScript | js/session-fixation | 未能放弃会话 |
| CWE-287 | JavaScript/TypeScript | js/host-header-forgery-in-email-generation | 在电子邮件生成中进行主机头欺骗 |
| CWE-287 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-287 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-287 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-287 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-287 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-287 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-287 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-290 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-290 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-290 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-295 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-297 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-300 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-307 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-311 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-311 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-311 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-311 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-311 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-311 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-312 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-312 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-312 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-312 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-312 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-313 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-315 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-315 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-319 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-319 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-321 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-326 | JavaScript/TypeScript | js/insufficient-key-size | 使用弱加密密钥 |
| CWE-326 | JavaScript/TypeScript | js/weak-cryptographic-algorithm | 使用错误或弱加密算法 |
| CWE-327 | JavaScript/TypeScript | js/biased-cryptographic-random | 从加密安全的来源创建偏差随机数 |
| CWE-327 | JavaScript/TypeScript | js/weak-cryptographic-algorithm | 使用错误或弱加密算法 |
| CWE-327 | JavaScript/TypeScript | js/insufficient-password-hash | 使用计算量不足的密码哈希 |
| CWE-328 | JavaScript/TypeScript | js/weak-cryptographic-algorithm | 使用错误或弱加密算法 |
| CWE-330 | JavaScript/TypeScript | js/insecure-randomness | 不安全的随机性 |
| CWE-330 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-330 | JavaScript/TypeScript | js/predictable-token | 可预测的令牌 |
| CWE-338 | JavaScript/TypeScript | js/insecure-randomness | 不安全的随机性 |
| CWE-340 | JavaScript/TypeScript | js/predictable-token | 可预测的令牌 |
| CWE-344 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-345 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-345 | JavaScript/TypeScript | js/jwt-missing-verification | JWT 缺少密钥或公钥验证 |
| CWE-345 | JavaScript/TypeScript | js/missing-token-validation | 缺少 CSRF 中间件 |
| CWE-345 | JavaScript/TypeScript | js/decode-jwt-without-verification | JWT 缺少密钥或公钥验证 |
| CWE-345 | JavaScript/TypeScript | js/decode-jwt-without-verification-local-source | JWT 缺少密钥或公钥验证 |
| CWE-345 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-346 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-346 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-347 | JavaScript/TypeScript | js/jwt-missing-verification | JWT 缺少密钥或公钥验证 |
| CWE-347 | JavaScript/TypeScript | js/decode-jwt-without-verification | JWT 缺少密钥或公钥验证 |
| CWE-347 | JavaScript/TypeScript | js/decode-jwt-without-verification-local-source | JWT 缺少密钥或公钥验证 |
| CWE-352 | JavaScript/TypeScript | js/missing-token-validation | 缺少 CSRF 中间件 |
| CWE-359 | JavaScript/TypeScript | js/cross-window-information-leak | 跨窗口通信没有限制目标来源 |
| CWE-359 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-359 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-359 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-362 | JavaScript/TypeScript | js/file-system-race | 潜在的文件系统竞争条件 |
| CWE-367 | JavaScript/TypeScript | js/file-system-race | 潜在的文件系统竞争条件 |
| CWE-377 | JavaScript/TypeScript | js/insecure-temporary-file | 不安全的临时文件 |
| CWE-378 | JavaScript/TypeScript | js/insecure-temporary-file | 不安全的临时文件 |
| CWE-384 | JavaScript/TypeScript | js/session-fixation | 未能放弃会话 |
| CWE-398 | JavaScript/TypeScript | js/todo-comment | TODO 注释 |
| CWE-398 | JavaScript/TypeScript | js/eval-like-call | 调用类似 eval 的 DOM 函数 |
| CWE-398 | JavaScript/TypeScript | js/variable-initialization-conflict | 变量初始化冲突 |
| CWE-398 | JavaScript/TypeScript | js/function-declaration-conflict | 函数声明冲突 |
| CWE-398 | JavaScript/TypeScript | js/useless-assignment-to-global | 对全局变量的无用赋值 |
| CWE-398 | JavaScript/TypeScript | js/useless-assignment-to-local | 对局部变量的无用赋值 |
| CWE-398 | JavaScript/TypeScript | js/overwritten-property | 覆盖的属性 |
| CWE-398 | JavaScript/TypeScript | js/comparison-of-identical-expressions | 比较相同的值 |
| CWE-398 | JavaScript/TypeScript | js/comparison-with-nan | 与 NaN 比较 |
| CWE-398 | JavaScript/TypeScript | js/duplicate-condition | 重复的 'if' 条件 |
| CWE-398 | JavaScript/TypeScript | js/duplicate-property | 重复的属性 |
| CWE-398 | JavaScript/TypeScript | js/duplicate-switch-case | 重复的 switch case |
| CWE-398 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-398 | JavaScript/TypeScript | js/comparison-between-incompatible-types | 不可转换类型之间的比较 |
| CWE-398 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-398 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-398 | JavaScript/TypeScript | js/call-to-non-callable | 调用非函数 |
| CWE-398 | JavaScript/TypeScript | js/property-access-on-non-object | 对 null 或 undefined 的属性访问 |
| CWE-398 | JavaScript/TypeScript | js/unneeded-defensive-code | 不必要的防御性代码 |
| CWE-398 | JavaScript/TypeScript | js/useless-type-test | 无用的类型测试 |
| CWE-398 | JavaScript/TypeScript | js/eval-call | 使用 eval |
| CWE-398 | JavaScript/TypeScript | js/node/assignment-to-exports-variable | 对 exports 变量的赋值 |
| CWE-398 | JavaScript/TypeScript | js/regex/unmatchable-caret | 正则表达式中的不匹配的脱字符 |
| CWE-398 | JavaScript/TypeScript | js/regex/unmatchable-dollar | 正则表达式中的不匹配的美元符号 |
| CWE-398 | JavaScript/TypeScript | js/useless-assignment-in-return | return 语句分配局部变量 |
| CWE-398 | JavaScript/TypeScript | js/unreachable-statement | 不可到达的语句 |
| CWE-398 | JavaScript/TypeScript | js/trivial-conditional | 无用的条件 |
| CWE-400 | JavaScript/TypeScript | js/polynomial-redos | 对不受控制的数据使用多项式正则表达式 |
| CWE-400 | JavaScript/TypeScript | js/redos | 低效的正则表达式 |
| CWE-400 | JavaScript/TypeScript | js/resource-exhaustion-from-deep-object-traversal | 深度对象遍历导致资源耗尽 |
| CWE-400 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-400 | JavaScript/TypeScript | js/regex-injection | 正则表达式注入 |
| CWE-400 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-400 | JavaScript/TypeScript | js/resource-exhaustion | 资源耗尽 |
| CWE-400 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-400 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-400 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-400 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-400 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-400 | JavaScript/TypeScript | js/regex-injection-more-sources | 正则表达式注入,并带有额外的启发式来源 |
| CWE-400 | JavaScript/TypeScript | js/resource-exhaustion-more-sources | 资源耗尽,并伴随额外的启发式来源 |
| CWE-400 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-400 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-405 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-405 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-409 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-409 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-434 | JavaScript/TypeScript | js/http-to-file-access | 网络数据写入文件 |
| CWE-435 | JavaScript/TypeScript | js/insecure-http-parser | 不安全的 HTTP 解析器 |
| CWE-436 | JavaScript/TypeScript | js/insecure-http-parser | 不安全的 HTTP 解析器 |
| CWE-441 | JavaScript/TypeScript | js/client-side-request-forgery | 客户端请求伪造 |
| CWE-441 | JavaScript/TypeScript | js/request-forgery | 服务器端请求伪造 |
| CWE-441 | JavaScript/TypeScript | javascript/ssrf | 在网络请求中使用不受控制的数据 |
| CWE-444 | JavaScript/TypeScript | js/insecure-http-parser | 不安全的 HTTP 解析器 |
| CWE-451 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-471 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-471 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-471 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-471 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-476 | JavaScript/TypeScript | js/call-to-non-callable | 调用非函数 |
| CWE-476 | JavaScript/TypeScript | js/property-access-on-non-object | 对 null 或 undefined 的属性访问 |
| CWE-480 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-480 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-480 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-480 | JavaScript/TypeScript | js/deletion-of-non-property | 删除非属性 |
| CWE-483 | JavaScript/TypeScript | js/misleading-indentation-of-dangling-else | 悬挂 'else' 语句的误导性缩进 |
| CWE-483 | JavaScript/TypeScript | js/misleading-indentation-after-control-statement | 控制语句后的误导性缩进 |
| CWE-485 | JavaScript/TypeScript | js/alert-call | 调用 alert |
| CWE-485 | JavaScript/TypeScript | js/debugger-statement | 使用调试器语句 |
| CWE-485 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-489 | JavaScript/TypeScript | js/alert-call | 调用 alert |
| CWE-489 | JavaScript/TypeScript | js/debugger-statement | 使用调试器语句 |
| CWE-494 | JavaScript/TypeScript | js/enabling-electron-insecure-content | 启用 Electron allowRunningInsecureContent |
| CWE-494 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-497 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-502 | JavaScript/TypeScript | js/unsafe-deserialization | 反序列化用户控制的数据 |
| CWE-502 | JavaScript/TypeScript | js/unsafe-deserialization-more-sources | 反序列化用户控制的数据,并伴随额外的启发式来源 |
| CWE-506 | JavaScript/TypeScript | js/hardcoded-data-interpreted-as-code | 将硬编码数据解释为代码 |
| CWE-521 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-522 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-522 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-522 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-532 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-538 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-538 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-546 | JavaScript/TypeScript | js/todo-comment | TODO 注释 |
| CWE-548 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-552 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-552 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-561 | JavaScript/TypeScript | js/comparison-of-identical-expressions | 比较相同的值 |
| CWE-561 | JavaScript/TypeScript | js/comparison-with-nan | 与 NaN 比较 |
| CWE-561 | JavaScript/TypeScript | js/duplicate-condition | 重复的 'if' 条件 |
| CWE-561 | JavaScript/TypeScript | js/duplicate-switch-case | 重复的 switch case |
| CWE-561 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-561 | JavaScript/TypeScript | js/comparison-between-incompatible-types | 不可转换类型之间的比较 |
| CWE-561 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-561 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-561 | JavaScript/TypeScript | js/unneeded-defensive-code | 不必要的防御性代码 |
| CWE-561 | JavaScript/TypeScript | js/useless-type-test | 无用的类型测试 |
| CWE-561 | JavaScript/TypeScript | js/regex/unmatchable-caret | 正则表达式中的不匹配的脱字符 |
| CWE-561 | JavaScript/TypeScript | js/regex/unmatchable-dollar | 正则表达式中的不匹配的美元符号 |
| CWE-561 | JavaScript/TypeScript | js/unreachable-statement | 不可到达的语句 |
| CWE-561 | JavaScript/TypeScript | js/trivial-conditional | 无用的条件 |
| CWE-563 | JavaScript/TypeScript | js/variable-initialization-conflict | 变量初始化冲突 |
| CWE-563 | JavaScript/TypeScript | js/function-declaration-conflict | 函数声明冲突 |
| CWE-563 | JavaScript/TypeScript | js/useless-assignment-to-global | 对全局变量的无用赋值 |
| CWE-563 | JavaScript/TypeScript | js/useless-assignment-to-local | 对局部变量的无用赋值 |
| CWE-563 | JavaScript/TypeScript | js/overwritten-property | 覆盖的属性 |
| CWE-563 | JavaScript/TypeScript | js/duplicate-property | 重复的属性 |
| CWE-563 | JavaScript/TypeScript | js/node/assignment-to-exports-variable | 对 exports 变量的赋值 |
| CWE-563 | JavaScript/TypeScript | js/useless-assignment-in-return | return 语句分配局部变量 |
| CWE-570 | JavaScript/TypeScript | js/comparison-of-identical-expressions | 比较相同的值 |
| CWE-570 | JavaScript/TypeScript | js/comparison-with-nan | 与 NaN 比较 |
| CWE-570 | JavaScript/TypeScript | js/comparison-between-incompatible-types | 不可转换类型之间的比较 |
| CWE-570 | JavaScript/TypeScript | js/unneeded-defensive-code | 不必要的防御性代码 |
| CWE-570 | JavaScript/TypeScript | js/useless-type-test | 无用的类型测试 |
| CWE-570 | JavaScript/TypeScript | js/trivial-conditional | 无用的条件 |
| CWE-571 | JavaScript/TypeScript | js/comparison-of-identical-expressions | 比较相同的值 |
| CWE-571 | JavaScript/TypeScript | js/comparison-with-nan | 与 NaN 比较 |
| CWE-571 | JavaScript/TypeScript | js/comparison-between-incompatible-types | 不可转换类型之间的比较 |
| CWE-571 | JavaScript/TypeScript | js/unneeded-defensive-code | 不必要的防御性代码 |
| CWE-571 | JavaScript/TypeScript | js/useless-type-test | 无用的类型测试 |
| CWE-571 | JavaScript/TypeScript | js/trivial-conditional | 无用的条件 |
| CWE-573 | JavaScript/TypeScript | js/superfluous-trailing-arguments | 多余的尾随参数 |
| CWE-584 | JavaScript/TypeScript | js/exit-from-finally | 从 finally 块中跳转 |
| CWE-592 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-592 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-592 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-598 | JavaScript/TypeScript | js/sensitive-get-query | 从 GET 请求中读取敏感数据 |
| CWE-601 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-601 | JavaScript/TypeScript | js/server-side-unvalidated-url-redirection | 服务器端 URL 重定向 |
| CWE-610 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-610 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-610 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-610 | JavaScript/TypeScript | js/server-side-unvalidated-url-redirection | 服务器端 URL 重定向 |
| CWE-610 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-610 | JavaScript/TypeScript | js/client-side-request-forgery | 客户端请求伪造 |
| CWE-610 | JavaScript/TypeScript | js/request-forgery | 服务器端请求伪造 |
| CWE-610 | JavaScript/TypeScript | javascript/ssrf | 在网络请求中使用不受控制的数据 |
| CWE-610 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-611 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-611 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-614 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-625 | JavaScript/TypeScript | js/angular/insecure-url-whitelist | 不安全的 URL 白名单 |
| CWE-628 | JavaScript/TypeScript | js/superfluous-trailing-arguments | 多余的尾随参数 |
| CWE-639 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-639 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-640 | JavaScript/TypeScript | js/host-header-forgery-in-email-generation | 在电子邮件生成中进行主机头欺骗 |
| CWE-642 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-642 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-643 | JavaScript/TypeScript | js/xpath-injection | XPath 注入 |
| CWE-643 | JavaScript/TypeScript | js/xpath-injection-more-sources | XPath 注入,并带有额外的启发式来源 |
| CWE-657 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-657 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-657 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/alert-call | 调用 alert |
| CWE-664 | JavaScript/TypeScript | js/unsafe-external-link | 可能不安全的外部链接 |
| CWE-664 | JavaScript/TypeScript | js/enabling-electron-insecure-content | 启用 Electron allowRunningInsecureContent |
| CWE-664 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-664 | JavaScript/TypeScript | js/implicit-operand-conversion | 隐式操作数转换 |
| CWE-664 | JavaScript/TypeScript | js/shift-out-of-range | 移位范围超出界限 |
| CWE-664 | JavaScript/TypeScript | js/debugger-statement | 使用调试器语句 |
| CWE-664 | JavaScript/TypeScript | js/invalid-prototype-value | 无效的原型值 |
| CWE-664 | JavaScript/TypeScript | js/property-assignment-on-primitive | 给原始值分配属性 |
| CWE-664 | JavaScript/TypeScript | js/polynomial-redos | 对不受控制的数据使用多项式正则表达式 |
| CWE-664 | JavaScript/TypeScript | js/redos | 低效的正则表达式 |
| CWE-664 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-664 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-664 | JavaScript/TypeScript | js/zipslip | 在解压缩存档时存在任意文件访问(“Zip Slip”) |
| CWE-664 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-664 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-664 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-664 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-664 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-664 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-664 | JavaScript/TypeScript | js/case-sensitive-middleware-path | 区分大小写的中间件路径 |
| CWE-664 | JavaScript/TypeScript | js/file-access-to-http | 文件数据出现在出站网络请求中 |
| CWE-664 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-664 | JavaScript/TypeScript | js/cross-window-information-leak | 跨窗口通信没有限制目标来源 |
| CWE-664 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-664 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-664 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-664 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-664 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-664 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-664 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-664 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-664 | JavaScript/TypeScript | js/insecure-temporary-file | 不安全的临时文件 |
| CWE-664 | JavaScript/TypeScript | js/session-fixation | 未能放弃会话 |
| CWE-664 | JavaScript/TypeScript | js/resource-exhaustion-from-deep-object-traversal | 深度对象遍历导致资源耗尽 |
| CWE-664 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-664 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-664 | JavaScript/TypeScript | js/unsafe-deserialization | 反序列化用户控制的数据 |
| CWE-664 | JavaScript/TypeScript | js/sensitive-get-query | 从 GET 请求中读取敏感数据 |
| CWE-664 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-664 | JavaScript/TypeScript | js/server-side-unvalidated-url-redirection | 服务器端 URL 重定向 |
| CWE-664 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-664 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-664 | JavaScript/TypeScript | js/host-header-forgery-in-email-generation | 在电子邮件生成中进行主机头欺骗 |
| CWE-664 | JavaScript/TypeScript | js/regex-injection | 正则表达式注入 |
| CWE-664 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-664 | JavaScript/TypeScript | js/resource-exhaustion | 资源耗尽 |
| CWE-664 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-664 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-664 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-664 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-664 | JavaScript/TypeScript | js/insecure-download | 通过不安全连接下载敏感文件 |
| CWE-664 | JavaScript/TypeScript | js/functionality-from-untrusted-source | 从不受信任的来源包含功能 |
| CWE-664 | JavaScript/TypeScript | js/type-confusion-through-parameter-tampering | 通过参数篡改导致类型混淆 |
| CWE-664 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-664 | JavaScript/TypeScript | js/http-to-file-access | 网络数据写入文件 |
| CWE-664 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-664 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-664 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-664 | JavaScript/TypeScript | js/client-side-request-forgery | 客户端请求伪造 |
| CWE-664 | JavaScript/TypeScript | js/request-forgery | 服务器端请求伪造 |
| CWE-664 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-664 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-664 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-664 | JavaScript/TypeScript | javascript/ssrf | 在网络请求中使用不受控制的数据 |
| CWE-664 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-664 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/unsafe-deserialization-more-sources | 反序列化用户控制的数据,并伴随额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/regex-injection-more-sources | 正则表达式注入,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/resource-exhaustion-more-sources | 资源耗尽,并伴随额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-664 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-665 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-665 | JavaScript/TypeScript | js/resource-exhaustion | 资源耗尽 |
| CWE-665 | JavaScript/TypeScript | js/resource-exhaustion-more-sources | 资源耗尽,并伴随额外的启发式来源 |
| CWE-668 | JavaScript/TypeScript | js/unsafe-external-link | 可能不安全的外部链接 |
| CWE-668 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-668 | JavaScript/TypeScript | js/zipslip | 在解压缩存档时存在任意文件访问(“Zip Slip”) |
| CWE-668 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-668 | JavaScript/TypeScript | js/file-access-to-http | 文件数据出现在出站网络请求中 |
| CWE-668 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-668 | JavaScript/TypeScript | js/cross-window-information-leak | 跨窗口通信没有限制目标来源 |
| CWE-668 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-668 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-668 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-668 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-668 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-668 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-668 | JavaScript/TypeScript | js/insecure-temporary-file | 不安全的临时文件 |
| CWE-668 | JavaScript/TypeScript | js/sensitive-get-query | 从 GET 请求中读取敏感数据 |
| CWE-668 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-668 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-668 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-668 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-669 | JavaScript/TypeScript | js/enabling-electron-insecure-content | 启用 Electron allowRunningInsecureContent |
| CWE-669 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-669 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-669 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-669 | JavaScript/TypeScript | js/insecure-download | 通过不安全连接下载敏感文件 |
| CWE-669 | JavaScript/TypeScript | js/functionality-from-untrusted-source | 从不受信任的来源包含功能 |
| CWE-669 | JavaScript/TypeScript | js/http-to-file-access | 网络数据写入文件 |
| CWE-669 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-670 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-670 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-670 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-670 | JavaScript/TypeScript | js/unclear-operator-precedence | 嵌套运算符的优先级不明确 |
| CWE-670 | JavaScript/TypeScript | js/whitespace-contradicts-precedence | 空白符与运算符优先级相矛盾 |
| CWE-670 | JavaScript/TypeScript | js/deletion-of-non-property | 删除非属性 |
| CWE-670 | JavaScript/TypeScript | js/misleading-indentation-of-dangling-else | 悬挂 'else' 语句的误导性缩进 |
| CWE-670 | JavaScript/TypeScript | js/misleading-indentation-after-control-statement | 控制语句后的误导性缩进 |
| CWE-671 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-674 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-674 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-676 | JavaScript/TypeScript | js/eval-like-call | 调用类似 eval 的 DOM 函数 |
| CWE-676 | JavaScript/TypeScript | js/eval-call | 使用 eval |
| CWE-681 | JavaScript/TypeScript | js/shift-out-of-range | 移位范围超出界限 |
| CWE-682 | JavaScript/TypeScript | js/index-out-of-bounds | 与长度比较时存在越界错误 |
| CWE-684 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-685 | JavaScript/TypeScript | js/superfluous-trailing-arguments | 多余的尾随参数 |
| CWE-691 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-691 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-691 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-691 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-691 | JavaScript/TypeScript | js/unclear-operator-precedence | 嵌套运算符的优先级不明确 |
| CWE-691 | JavaScript/TypeScript | js/whitespace-contradicts-precedence | 空白符与运算符优先级相矛盾 |
| CWE-691 | JavaScript/TypeScript | js/deletion-of-non-property | 删除非属性 |
| CWE-691 | JavaScript/TypeScript | js/exit-from-finally | 从 finally 块中跳转 |
| CWE-691 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-691 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-691 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-691 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-691 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-691 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-691 | JavaScript/TypeScript | js/file-system-race | 潜在的文件系统竞争条件 |
| CWE-691 | JavaScript/TypeScript | js/server-crash | 服务器崩溃 |
| CWE-691 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-691 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-691 | JavaScript/TypeScript | js/loop-bound-injection | 循环边界注入 |
| CWE-691 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-691 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-691 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-691 | JavaScript/TypeScript | js/misleading-indentation-of-dangling-else | 悬挂 'else' 语句的误导性缩进 |
| CWE-691 | JavaScript/TypeScript | js/inconsistent-loop-direction | for 循环方向不一致 |
| CWE-691 | JavaScript/TypeScript | js/misleading-indentation-after-control-statement | 控制语句后的误导性缩进 |
| CWE-691 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-691 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-691 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-691 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-691 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-693 | JavaScript/TypeScript | js/angular/insecure-url-whitelist | 不安全的 URL 白名单 |
| CWE-693 | JavaScript/TypeScript | js/count-untrusted-data-external-api | 使用不可信数据调用外部 API 的频率统计 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-hostname-regexp | 主机名正则表达式不完整 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-url-scheme-check | URL 方案检查不完整 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-url-substring-sanitization | URL 子字符串清理不完整 |
| CWE-693 | JavaScript/TypeScript | js/incorrect-suffix-check | 后缀检查不正确 |
| CWE-693 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-693 | JavaScript/TypeScript | js/regex/missing-regexp-anchor | 缺少正则表达式锚点 |
| CWE-693 | JavaScript/TypeScript | js/overly-large-range | 过于宽松的正则表达式范围 |
| CWE-693 | JavaScript/TypeScript | js/untrusted-data-to-external-api | 向外部 API 传递不可信数据 |
| CWE-693 | JavaScript/TypeScript | js/useless-regexp-character-escape | 无用的正则表达式字符转义 |
| CWE-693 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-693 | JavaScript/TypeScript | js/double-escaping | 双重转义或反转义 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-693 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-693 | JavaScript/TypeScript | js/exposure-of-private-files | 私有文件泄露 |
| CWE-693 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-693 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-693 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-693 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-693 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-693 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-693 | JavaScript/TypeScript | js/insufficient-key-size | 使用弱加密密钥 |
| CWE-693 | JavaScript/TypeScript | js/biased-cryptographic-random | 从加密安全的来源创建偏差随机数 |
| CWE-693 | JavaScript/TypeScript | js/weak-cryptographic-algorithm | 使用错误或弱加密算法 |
| CWE-693 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-693 | JavaScript/TypeScript | js/jwt-missing-verification | JWT 缺少密钥或公钥验证 |
| CWE-693 | JavaScript/TypeScript | js/missing-token-validation | 缺少 CSRF 中间件 |
| CWE-693 | JavaScript/TypeScript | js/session-fixation | 未能放弃会话 |
| CWE-693 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-693 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-693 | JavaScript/TypeScript | js/host-header-forgery-in-email-generation | 在电子邮件生成中进行主机头欺骗 |
| CWE-693 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-693 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-693 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-693 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-693 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-693 | JavaScript/TypeScript | js/insufficient-password-hash | 使用计算量不足的密码哈希 |
| CWE-693 | JavaScript/TypeScript | js/decode-jwt-without-verification | JWT 缺少密钥或公钥验证 |
| CWE-693 | JavaScript/TypeScript | js/decode-jwt-without-verification-local-source | JWT 缺少密钥或公钥验证 |
| CWE-693 | JavaScript/TypeScript | js/user-controlled-data-decompression | 用户控制的文件解压缩 |
| CWE-693 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-693 | JavaScript/TypeScript | js/untrusted-data-to-external-api-more-sources | 向外部 API 传递不可信数据,并带有额外的启发式来源 |
| CWE-693 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-693 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-693 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-697 | JavaScript/TypeScript | js/angular/insecure-url-whitelist | 不安全的 URL 白名单 |
| CWE-697 | JavaScript/TypeScript | js/incomplete-url-scheme-check | URL 方案检查不完整 |
| CWE-697 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-697 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-697 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-697 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-703 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-703 | JavaScript/TypeScript | js/server-crash | 服务器崩溃 |
| CWE-703 | JavaScript/TypeScript | js/unvalidated-dynamic-method-call | 未经验证的动态方法调用 |
| CWE-704 | JavaScript/TypeScript | js/implicit-operand-conversion | 隐式操作数转换 |
| CWE-704 | JavaScript/TypeScript | js/shift-out-of-range | 移位范围超出界限 |
| CWE-704 | JavaScript/TypeScript | js/invalid-prototype-value | 无效的原型值 |
| CWE-704 | JavaScript/TypeScript | js/property-assignment-on-primitive | 给原始值分配属性 |
| CWE-704 | JavaScript/TypeScript | js/type-confusion-through-parameter-tampering | 通过参数篡改导致类型混淆 |
| CWE-705 | JavaScript/TypeScript | js/exit-from-finally | 从 finally 块中跳转 |
| CWE-705 | JavaScript/TypeScript | js/server-crash | 服务器崩溃 |
| CWE-706 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-706 | JavaScript/TypeScript | js/zipslip | 在解压缩存档时存在任意文件访问(“Zip Slip”) |
| CWE-706 | JavaScript/TypeScript | js/case-sensitive-middleware-path | 区分大小写的中间件路径 |
| CWE-706 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-706 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/angular/disabling-sce | 禁用 SCE |
| CWE-707 | JavaScript/TypeScript | js/disabling-electron-websecurity | 禁用 Electron webSecurity |
| CWE-707 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-707 | JavaScript/TypeScript | js/identity-replacement | 用自身替换子字符串 |
| CWE-707 | JavaScript/TypeScript | js/path-injection | 路径表达式中使用了不受控制的数据 |
| CWE-707 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-707 | JavaScript/TypeScript | js/command-line-injection | 不受控制的命令行 |
| CWE-707 | JavaScript/TypeScript | js/indirect-command-line-injection | 间接不受控制的命令行 |
| CWE-707 | JavaScript/TypeScript | js/second-order-command-line-injection | 二阶命令注入 |
| CWE-707 | JavaScript/TypeScript | js/shell-command-injection-from-environment | 从环境变量构建的 Shell 命令 |
| CWE-707 | JavaScript/TypeScript | js/shell-command-constructed-from-input | 使用库输入构建的不安全的 Shell 命令 |
| CWE-707 | JavaScript/TypeScript | js/unnecessary-use-of-cat | 不必要地使用 cat 进程 |
| CWE-707 | JavaScript/TypeScript | js/xss-through-exception | 异常文本被重新解释为 HTML |
| CWE-707 | JavaScript/TypeScript | js/reflected-xss | 反射型跨站脚本攻击 |
| CWE-707 | JavaScript/TypeScript | js/stored-xss | 存储型跨站脚本攻击 |
| CWE-707 | JavaScript/TypeScript | js/html-constructed-from-input | 使用库输入构建的不安全的 HTML |
| CWE-707 | JavaScript/TypeScript | js/unsafe-jquery-plugin | 不安全的 jQuery 插件 |
| CWE-707 | JavaScript/TypeScript | js/xss | 客户端跨站脚本攻击 |
| CWE-707 | JavaScript/TypeScript | js/xss-through-dom | DOM 文本被重新解释为 HTML |
| CWE-707 | JavaScript/TypeScript | js/sql-injection | 使用用户控制的来源构建数据库查询 |
| CWE-707 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-707 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-707 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-707 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-707 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-707 | JavaScript/TypeScript | js/bad-tag-filter | 错误的 HTML 过滤正则表达式 |
| CWE-707 | JavaScript/TypeScript | js/double-escaping | 双重转义或反转义 |
| CWE-707 | JavaScript/TypeScript | js/incomplete-html-attribute-sanitization | HTML 属性清理不完整 |
| CWE-707 | JavaScript/TypeScript | js/incomplete-multi-character-sanitization | 多字符清理不完整 |
| CWE-707 | JavaScript/TypeScript | js/incomplete-sanitization | 字符串转义或编码不完整 |
| CWE-707 | JavaScript/TypeScript | js/unsafe-html-expansion | 不安全的自闭合 HTML 标签扩展 |
| CWE-707 | JavaScript/TypeScript | js/log-injection | 日志注入 |
| CWE-707 | JavaScript/TypeScript | js/tainted-format-string | 使用外部控制的格式字符串 |
| CWE-707 | JavaScript/TypeScript | js/client-side-unvalidated-url-redirection | 客户端 URL 重定向 |
| CWE-707 | JavaScript/TypeScript | js/xpath-injection | XPath 注入 |
| CWE-707 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-707 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-707 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-707 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-707 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-707 | JavaScript/TypeScript | js/env-key-and-value-injection | 用户控制的任意环境变量注入 |
| CWE-707 | JavaScript/TypeScript | js/env-value-injection | 用户控制的环境变量值注入 |
| CWE-707 | JavaScript/TypeScript | js/command-line-injection-more-sources | 不受控制的命令行,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/xss-more-sources | 客户端跨站脚本攻击,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/sql-injection-more-sources | 使用用户控制的来源构建数据库查询,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/log-injection-more-sources | 日志注入,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/tainted-format-string-more-sources | 使用外部控制的格式字符串,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/xpath-injection-more-sources | XPath 注入,并带有额外的启发式来源 |
| CWE-707 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-710 | JavaScript/TypeScript | js/todo-comment | TODO 注释 |
| CWE-710 | JavaScript/TypeScript | js/conflicting-html-attribute | 冲突的 HTML 元素属性 |
| CWE-710 | JavaScript/TypeScript | js/malformed-html-id | 格式错误的 id 属性 |
| CWE-710 | JavaScript/TypeScript | js/eval-like-call | 调用类似 eval 的 DOM 函数 |
| CWE-710 | JavaScript/TypeScript | js/variable-initialization-conflict | 变量初始化冲突 |
| CWE-710 | JavaScript/TypeScript | js/function-declaration-conflict | 函数声明冲突 |
| CWE-710 | JavaScript/TypeScript | js/useless-assignment-to-global | 对全局变量的无用赋值 |
| CWE-710 | JavaScript/TypeScript | js/useless-assignment-to-local | 对局部变量的无用赋值 |
| CWE-710 | JavaScript/TypeScript | js/overwritten-property | 覆盖的属性 |
| CWE-710 | JavaScript/TypeScript | js/comparison-of-identical-expressions | 比较相同的值 |
| CWE-710 | JavaScript/TypeScript | js/comparison-with-nan | 与 NaN 比较 |
| CWE-710 | JavaScript/TypeScript | js/duplicate-condition | 重复的 'if' 条件 |
| CWE-710 | JavaScript/TypeScript | js/duplicate-property | 重复的属性 |
| CWE-710 | JavaScript/TypeScript | js/duplicate-switch-case | 重复的 switch case |
| CWE-710 | JavaScript/TypeScript | js/useless-expression | 表达式没有效果 |
| CWE-710 | JavaScript/TypeScript | js/comparison-between-incompatible-types | 不可转换类型之间的比较 |
| CWE-710 | JavaScript/TypeScript | js/redundant-operation | 相同的操作数 |
| CWE-710 | JavaScript/TypeScript | js/redundant-assignment | 自身赋值 |
| CWE-710 | JavaScript/TypeScript | js/call-to-non-callable | 调用非函数 |
| CWE-710 | JavaScript/TypeScript | js/property-access-on-non-object | 对 null 或 undefined 的属性访问 |
| CWE-710 | JavaScript/TypeScript | js/unneeded-defensive-code | 不必要的防御性代码 |
| CWE-710 | JavaScript/TypeScript | js/useless-type-test | 无用的类型测试 |
| CWE-710 | JavaScript/TypeScript | js/conditional-comment | 条件注释 |
| CWE-710 | JavaScript/TypeScript | js/eval-call | 使用 eval |
| CWE-710 | JavaScript/TypeScript | js/non-standard-language-feature | 使用平台特定的语言特性 |
| CWE-710 | JavaScript/TypeScript | js/for-in-comprehension | 使用 for-in 推导块 |
| CWE-710 | JavaScript/TypeScript | js/superfluous-trailing-arguments | 多余的尾随参数 |
| CWE-710 | JavaScript/TypeScript | js/yield-outside-generator | 在非生成器函数中使用 yield |
| CWE-710 | JavaScript/TypeScript | js/node/assignment-to-exports-variable | 对 exports 变量的赋值 |
| CWE-710 | JavaScript/TypeScript | js/regex/unmatchable-caret | 正则表达式中的不匹配的脱字符 |
| CWE-710 | JavaScript/TypeScript | js/regex/unmatchable-dollar | 正则表达式中的不匹配的美元符号 |
| CWE-710 | JavaScript/TypeScript | js/remote-property-injection | 远程属性注入 |
| CWE-710 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-710 | JavaScript/TypeScript | js/hardcoded-data-interpreted-as-code | 将硬编码数据解释为代码 |
| CWE-710 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-710 | JavaScript/TypeScript | js/http-to-file-access | 网络数据写入文件 |
| CWE-710 | JavaScript/TypeScript | js/useless-assignment-in-return | return 语句分配局部变量 |
| CWE-710 | JavaScript/TypeScript | js/unreachable-statement | 不可到达的语句 |
| CWE-710 | JavaScript/TypeScript | js/trivial-conditional | 无用的条件 |
| CWE-710 | JavaScript/TypeScript | js/remote-property-injection-more-sources | 远程属性注入,并带有额外的启发式来源 |
| CWE-754 | JavaScript/TypeScript | js/unvalidated-dynamic-method-call | 未经验证的动态方法调用 |
| CWE-755 | JavaScript/TypeScript | js/stack-trace-exposure | 通过堆栈跟踪泄露信息 |
| CWE-758 | JavaScript/TypeScript | js/conflicting-html-attribute | 冲突的 HTML 元素属性 |
| CWE-758 | JavaScript/TypeScript | js/malformed-html-id | 格式错误的 id 属性 |
| CWE-758 | JavaScript/TypeScript | js/conditional-comment | 条件注释 |
| CWE-758 | JavaScript/TypeScript | js/non-standard-language-feature | 使用平台特定的语言特性 |
| CWE-758 | JavaScript/TypeScript | js/for-in-comprehension | 使用 for-in 推导块 |
| CWE-758 | JavaScript/TypeScript | js/yield-outside-generator | 在非生成器函数中使用 yield |
| CWE-770 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-770 | JavaScript/TypeScript | js/resource-exhaustion | 资源耗尽 |
| CWE-770 | JavaScript/TypeScript | js/resource-exhaustion-more-sources | 资源耗尽,并伴随额外的启发式来源 |
| CWE-776 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-776 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-783 | JavaScript/TypeScript | js/unclear-operator-precedence | 嵌套运算符的优先级不明确 |
| CWE-783 | JavaScript/TypeScript | js/whitespace-contradicts-precedence | 空白符与运算符优先级相矛盾 |
| CWE-798 | JavaScript/TypeScript | js/hardcoded-credentials | 硬编码的凭据 |
| CWE-799 | JavaScript/TypeScript | js/missing-rate-limiting | 缺少速率限制 |
| CWE-807 | JavaScript/TypeScript | js/user-controlled-bypass | 用户控制的安全检查绕过 |
| CWE-807 | JavaScript/TypeScript | js/different-kinds-comparison-bypass | 比较不同类型用户控制的数据 |
| CWE-807 | JavaScript/TypeScript | js/user-controlled-bypass-more-sources | 用户控制的安全检查绕过,并带有额外的启发式来源 |
| CWE-827 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-827 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-829 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-829 | JavaScript/TypeScript | js/missing-x-frame-options | 缺少 X-Frame-Options HTTP 标头 |
| CWE-829 | JavaScript/TypeScript | js/xxe | XML 外部实体扩展 |
| CWE-829 | JavaScript/TypeScript | js/insecure-download | 通过不安全连接下载敏感文件 |
| CWE-829 | JavaScript/TypeScript | js/functionality-from-untrusted-source | 从不受信任的来源包含功能 |
| CWE-829 | JavaScript/TypeScript | js/xxe-more-sources | XML 外部实体扩展,并伴随额外的启发式来源 |
| CWE-830 | JavaScript/TypeScript | js/functionality-from-untrusted-source | 从不受信任的来源包含功能 |
| CWE-834 | JavaScript/TypeScript | js/xml-bomb | XML 内部实体扩展 |
| CWE-834 | JavaScript/TypeScript | js/loop-bound-injection | 循环边界注入 |
| CWE-834 | JavaScript/TypeScript | js/inconsistent-loop-direction | for 循环方向不一致 |
| CWE-834 | JavaScript/TypeScript | js/xml-bomb-more-sources | XML 内部实体扩展,并伴随额外的启发式来源 |
| CWE-835 | JavaScript/TypeScript | js/inconsistent-loop-direction | for 循环方向不一致 |
| CWE-843 | JavaScript/TypeScript | js/type-confusion-through-parameter-tampering | 通过参数篡改导致类型混淆 |
| CWE-862 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-862 | JavaScript/TypeScript | js/empty-password-in-configuration-file | 配置文件中的空密码 |
| CWE-862 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-912 | JavaScript/TypeScript | js/hardcoded-data-interpreted-as-code | 将硬编码数据解释为代码 |
| CWE-912 | JavaScript/TypeScript | js/http-to-file-access | 网络数据写入文件 |
| CWE-913 | JavaScript/TypeScript | js/enabling-electron-renderer-node-integration | 为 Electron 网页内容渲染器启用 Node.js 集成 |
| CWE-913 | JavaScript/TypeScript | js/template-object-injection | 模板对象注入 |
| CWE-913 | JavaScript/TypeScript | js/code-injection | 代码注入 |
| CWE-913 | JavaScript/TypeScript | js/actions/command-injection | Actions 中的表达式注入 |
| CWE-913 | JavaScript/TypeScript | js/bad-code-sanitization | 代码清理不当 |
| CWE-913 | JavaScript/TypeScript | js/unsafe-code-construction | 使用库输入构建的不安全的代码 |
| CWE-913 | JavaScript/TypeScript | js/unsafe-dynamic-method-access | 不安全的动态方法访问 |
| CWE-913 | JavaScript/TypeScript | js/unsafe-deserialization | 反序列化用户控制的数据 |
| CWE-913 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-913 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-913 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-913 | JavaScript/TypeScript | js/code-injection-dynamic-import | 代码注入 |
| CWE-913 | JavaScript/TypeScript | js/actions/pull-request-target | 在可信上下文中签出不可信代码 |
| CWE-913 | JavaScript/TypeScript | js/code-injection-more-sources | 代码注入,并带有额外的启发式来源 |
| CWE-913 | JavaScript/TypeScript | js/unsafe-deserialization-more-sources | 反序列化用户控制的数据,并伴随额外的启发式来源 |
| CWE-913 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-915 | JavaScript/TypeScript | js/prototype-polluting-assignment | 原型污染赋值 |
| CWE-915 | JavaScript/TypeScript | js/prototype-pollution-utility | 原型污染函数 |
| CWE-915 | JavaScript/TypeScript | js/prototype-pollution | 原型污染合并调用 |
| CWE-915 | JavaScript/TypeScript | js/prototype-polluting-assignment-more-sources | 原型污染赋值,并带有额外的启发式来源 |
| CWE-916 | JavaScript/TypeScript | js/insufficient-password-hash | 使用计算量不足的密码哈希 |
| CWE-918 | JavaScript/TypeScript | js/client-side-request-forgery | 客户端请求伪造 |
| CWE-918 | JavaScript/TypeScript | js/request-forgery | 服务器端请求伪造 |
| CWE-918 | JavaScript/TypeScript | javascript/ssrf | 在网络请求中使用不受控制的数据 |
| CWE-922 | JavaScript/TypeScript | js/build-artifact-leak | 在构建工件中存储敏感信息 |
| CWE-922 | JavaScript/TypeScript | js/clear-text-logging | 明文记录敏感信息 |
| CWE-922 | JavaScript/TypeScript | js/clear-text-storage-of-sensitive-data | 明文存储敏感信息 |
| CWE-922 | JavaScript/TypeScript | js/password-in-configuration-file | 配置文件中的密码 |
| CWE-922 | JavaScript/TypeScript | js/clear-text-cookie | 敏感 cookie 的明文传输 |
| CWE-923 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-923 | JavaScript/TypeScript | js/disabling-certificate-validation | 禁用证书验证 |
| CWE-923 | JavaScript/TypeScript | js/insecure-dependency | 使用未加密的通信通道下载依赖项 |
| CWE-940 | JavaScript/TypeScript | js/missing-origin-check | postMessage 处理程序中缺少来源验证 |
| CWE-942 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials | CORS 凭据传输配置错误 |
| CWE-942 | JavaScript/TypeScript | js/cors-misconfiguration | 过于宽松的 CORS 配置 |
| CWE-942 | JavaScript/TypeScript | js/cors-misconfiguration-for-credentials-more-sources | CORS 凭据传输配置错误,并带有额外的启发式来源 |
| CWE-943 | JavaScript/TypeScript | js/sql-injection | 使用用户控制的来源构建数据库查询 |
| CWE-943 | JavaScript/TypeScript | js/xpath-injection | XPath 注入 |
| CWE-943 | JavaScript/TypeScript | js/env-key-and-value-injection | 用户控制的任意环境变量注入 |
| CWE-943 | JavaScript/TypeScript | js/env-value-injection | 用户控制的环境变量值注入 |
| CWE-943 | JavaScript/TypeScript | js/sql-injection-more-sources | 使用用户控制的来源构建数据库查询,并带有额外的启发式来源 |
| CWE-943 | JavaScript/TypeScript | js/xpath-injection-more-sources | XPath 注入,并带有额外的启发式来源 |
| CWE-1004 | JavaScript/TypeScript | js/client-exposed-cookie | 敏感的服务器端 cookie 暴露给客户端 |
| CWE-1022 | JavaScript/TypeScript | js/unsafe-external-link | 可能不安全的外部链接 |
| CWE-1176 | JavaScript/TypeScript | js/angular/double-compilation | 双重编译 |
| CWE-1275 | JavaScript/TypeScript | js/samesite-none-cookie | 敏感的 cookie 未设置 SameSite 限制 |
| CWE-1333 | JavaScript/TypeScript | js/polynomial-redos | 对不受控制的数据使用多项式正则表达式 |
| CWE-1333 | JavaScript/TypeScript | js/redos | 低效的正则表达式 |