CAST Appmarq
  • Benchmark Analytics
  • Demographics
  • CRASH Reports
  • Signin Register

Health Factors

  Total Quality Index (TQI)

3517 rules

Total Quality Index measures the general maintainability level of the application based on hundreds of metrics provided by CAST.

  Robustness

1420 rules

Robustness measures the level of risk and the likelihood of having application failures and defects resulting from modifications.

  Security

1316 rules

Security measures the likelihood of potential security breaches linked to coding practices and application source code.

  Efficiency

528 rules

Efficiency measures the likelihood of potential performance bottlenecks and the potential future scalability issues linked to coding practices.

  Changeability

1287 rules

Changeability measures how easily applications can be modified in order to implement new features, correct errors, or change the applications environment.

  Transferability

1279 rules

Transferability measures how easily applications can be moved across teams or team members including in-house and outsourced development teams.
Want more stats? Register now!

Quality Rules

Abstract Classes should be non copy-assignable
CRITICAL  A Class that has pointer data members must provide a copy Constructor
CRITICAL  Action Artifacts should not directly call a JSP page
CRITICAL  Action Artifacts should not directly use database objects
Action Classes should have only one public method
Action Classes should only be called by Action Mappings tag (for Struts 1.x) or Action tag (for Struts 2.x)
Action Classes should only call Business Classes
All ALLOCATE statements in Fortran-90 Functions must use the return code STAT (Fortran)
All ALLOCATE statements in Fortran-90 Modules must use the return code STAT (Fortran)
All ALLOCATE statements in Fortran-90 Programs must use the return code STAT (Fortran)
All ALLOCATE statements in Fortran-90 Subroutines must use the return code STAT (Fortran)
All constructors that are callable with a single argument of fundamental type shall be declared explicit.
Allow only HTTPS communication
All Read and Write statements in Functions must use the return code IOSTAT (Fortran)
All Read and Write statements in Modules must use the return code IOSTAT (Fortran)
All Read and Write statements in Programs must use the return code IOSTAT (Fortran)
All Read and Write statements in Subroutines must use the return code IOSTAT (Fortran)
All traffic to particular domains should use HTTPS
All types of a serializable class must be serializable
All types of a serializable Class must be serializable
Always activate unlockedDeviceRequired to avoid data decryption when device is unlocked
Always avoid http redirects to unknown or untrusted URLs
Always check all the BiometricPrompt acquired options in the onAuthenticationSucceeded method
Always check all the BiometricPrompt error options in the onAuthenticationError method
Always check the device supports Biometric capability before using BiometricPrompt API
CRITICAL  Always define column names when inserting values
CRITICAL  Always enable authorization checks at function level for functions called on by APIs
CRITICAL  Always enabled validateRequest in ASPX page
Always enable HttpOnly for cookies in Config file
Always enable RequireSSL attribute for cookies in Config file (ASP.NET)
Always enable validation input when doing ASP.NET Http Post/Put Request
Always handle errors when using ajax with RxJS
Always implement done, fail and/or always callbacks for $.ajax calls when using jQuery 3.0 (and latest)
CRITICAL  Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream
CRITICAL  Always implement the success/error/complete or done/fail/always callbacks when using jQuery ajax call
Always manage the BiometricPrompt onAuthenticationFailed method
Always mark Windows Forms starting point as STAThread
Always pass optional parameters too, when making 'base' calls
Always provide deserialization methods for optional fields
Always provide error callbacks when subscribing to HttpClient observables
Always Revert After Impersonation
Always unsubscribe events in Angular onDestroy method
Always use ConfigureAwait(false) in library code awaited tasks
CRITICAL  Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application
Always use JSON.parse & JSON.stringify with try/catch block (Javascript)
Always use JSON.parse & JSON.stringify with try/catch block (TypeScript)
Always use LAContext canEvaluatePolicy: before using evaluatePolicy:
Always use LAContext canEvaluatePolicy: before using evaluatePolicy:
Always use LAContext canEvaluatePolicy before using evaluatePolicy (Swift)
Always use onActivityResult to pass the login results when using Facebook SDK
Always use System.Uri instead of string to build URLs
CRITICAL  Always validate user input with Request variables
A permission is required for securing Activities
A permission is required for securing Receivers
A permission is required for securing Services
Apply signature-based permissions
Architecture Check: CACEIS:Avoid deprecated programs (Error)
Architecture Check: CACEIS:Avoid deprecated programs (Warning)
Architecture Check: Clarity Allowed
Architecture Check: Database Access Validation Architecture Model
A Read permission is required to read data of Content Provider
Arguments to a function-like macro shall not contain tokens that look like preprocessing directives.
Assignment operator should assign all non-static members of the target object
Authorization check should be done before calling a transaction
CRITICAL  Avoid accessing SAP standard Tables in modification from custom code
Avoid Action artifacts that call packages that reference database
CRITICAL  Avoid Action Mapping based on wildcards with Struts 2.3.14.2 and older versions
CRITICAL  Avoid action mappings validator turned off
CRITICAL  Avoid addEventListener containing hard coded strings (Flex)
CRITICAL  Avoid adding or removing displayable children from updateDisplayList (Flex specific) (Flex)
CRITICAL  Avoid AE Schema with Target namespace not defined (TIBCO BW)
Avoid allowing File IO unrestricted access
CRITICAL  Avoid * and use strongly typed objects instead in fields (Flex)
CRITICAL  Avoid * and use strongly typed objects instead in variables (Flex)
Avoid any non-static data members not initialized in constructor
CRITICAL  Avoid ArrayElementType metadata not specified for the array-type field (Flex)
Avoid artifacts having db.collection.ensureIndex() to create new indexes
Avoid artifacts having Incorrect Type Conversion or Cast
Avoid Avoid Cookie Misconfiguration (PHP)
CRITICAL  Avoid BindingUtils class that uses hard coded strings (Flex)
Avoid blocking async methods (.NET, VB)
CRITICAL  Avoid Buffer Overruns when using ADD, SUBTRACT, MULTIPLY, DIVIDE & COMPUTE statement inside a loop
Avoid bypassing angular security trust
Avoid bypassing self-signed ssl certificate (Node.js)
CRITICAL  Avoid bypassing self-signed ssl certificate with Node.js (TypeScript)
CRITICAL  Avoid CairngormEventDispatcher called explicitly (Flex)
CRITICAL  Avoid calling Alert.show directly (Flex)
Avoid calling blocking functions with an infinite timeout
CRITICAL  Avoid calling callLater explicitly (Flex specific) (Flex)
CRITICAL  Avoid calling CoSetProxyBlanket and CoInitializeSecurity
Avoid calling database commands directly using system functions as "C_DB_EXECUTE" and "C_DB_FUNCTION"
Avoid calling finalize()
Avoid calling programs statically
CRITICAL  Avoid calling system function (CALL 'cfunc') BETA
CRITICAL  Avoid calling unsafe C library functions from COBOL
Avoid calls between JSP Pages
CRITICAL  Avoid calls to the StyleManager that do not pass FALSE as the second parameter (Flex)
Avoid catch-all except blocks with empty handlers
Avoid 'catch-all' statement
Avoid catch blocks with assertion
Avoid catching an exception of type Exception (C# .Net)
Avoid catching an exception of type Exception, RuntimeException, or Throwable
Avoid catching an exception of type Exception, RuntimeException, or Throwable (JEE)
CRITICAL  Avoid ChangeWatcher class that uses hard coded strings to specify the attribute name, to listen to. Prefer listening to events or setters (Flex)
Avoid changing parent properties from child components using $parent
CRITICAL  Avoid checking Integer overflow without explicit cast
Avoid circular references between header files
CRITICAL  Avoid classes exceeding maximum length (PHP)
CRITICAL  Avoid Classes using "new" to allocate Instances but not defining a copy Constructor
Avoid Classes with a copy Constructor and the default Destructor or assignment operator
Avoid Classes with a High Public Data Ratio
Avoid Classes with a High Public Data Ratio (C++)
Avoid Classes with a High Public Data Ratio (C# .Net)
Avoid Classes with a High Public Data Ratio (JEE)
Avoid Classes with a High Public Data Ratio (PowerBuilder)
Avoid Classes with a High Public Data Ratio (Visual Basic)
Avoid Classes with an assignment operator and the default Destructor or assignment operator
Avoid Classes with a non-empty Destructor and the default assignment operator or copy Constructor
CRITICAL  Avoid classes with misplaced metadata (Flex)
CRITICAL  Avoid classes with unknown metadata attribute (Flex)
Avoid client provided dictionaries to have high request sizes
CRITICAL  Avoid clone event not overiden in a custom event (Flex)
CRITICAL  Avoid code injection
CRITICAL  Avoid code injection through API requests
CRITICAL  Avoid comparing passwords against hard-coded strings
Avoid comparing types of different widths in a loop
Avoid Constructors not supplying an initial value for all non-static data members
CRITICAL  Avoid constructor with a return type (Flex)
CRITICAL  Avoid control statement in Constructor (must be as lightweight as possible) (Flex)
CRITICAL  Avoid cookie injection
CRITICAL  Avoid copying needless the variables (PHP)
Avoid creating cookies without enabling httponly attribute
Avoid creating cookie without setting httpOnly option
Avoid creating cookie without setting httpOnly option (Javascript)
CRITICAL  Avoid creating cookie without setting httpOnly option (TypeScript)
CRITICAL  Avoid creating cookie with overly broad domain (AngularJS)
Avoid creating cookie with overly broad domain (Node.js)
CRITICAL  Avoid creating cookie with overly broad domain (Vue.js)
CRITICAL  Avoid creating cookie with overly broad path (AngularJS)
Avoid creating cookie with overly broad path (C#)
Avoid creating cookie with overly broad path (Javascript)
Avoid creating cookie with overly broad path (JEE)
Avoid creating cookie with overly broad path (Node.js)
CRITICAL  Avoid creating cookie with overly broad path (TypeScript)
CRITICAL  Avoid creating cookie with overly broad path (Vue.js)
Avoid creating file without protection
Avoid creating file without protection
Avoid creating file without protection (Swift)
CRITICAL  Avoid creating unsecured HTTPS GET metadata endpoint in code
CRITICAL  Avoid creating unsecured HTTPS GET metadata endpoint in configuration
Avoid Cross-Client Database Access using Open SQL statements with CLIENT SPECIFIED/USING CLIENT addition
CRITICAL  Avoid cross-site scripting DOM vulnerabilities ( CWE-79 )
CRITICAL  Avoid Cross-Site Scripting (Persistent)
Avoid cross site scripting (single quoted attribute) (PHP)
CRITICAL  Avoid cross-site scripting through API requests
Avoid custom code with OSS notes
CRITICAL  Avoid cyclical calls and inheritances between namespaces content
CRITICAL  Avoid cyclical calls and inheritances between packages
Avoid cyclic calls between Event and its handled Method
Avoid cyclic references in the definition of CDS views (S4/HAHA)
CRITICAL  Avoid dangerous file inclusion
CRITICAL  Avoid dangerous file inclusion (JSTL) (Javascript/HTML5)
CRITICAL  Avoid dangerous File Upload
Avoid database tables associated to more than one Entity
Avoid data fields binded to columns to return sensitive data via APIs
CRITICAL  Avoid data filter injection
CRITICAL  Avoid data filter injection through API requests
Avoid data members that are not private
Avoid Datawindows accessing Database Procedures or Functions
Avoid Datawindows accessing Database Tables (PowerBuilder)
Avoid Datawindows that does not access a database data
Avoid debug binaries that include detailed debug information
Avoid debug code in the production system (PHP)
Avoid debug forging
Avoid debug forging through API requests
Avoid declaring Final Instance Variables that are not dynamically initialized
Avoid declaring Inner Classes
Avoid declaring Instance Variables without defined access type
Avoid declaring Non Final Class Variables with Public or Package access type
CRITICAL  Avoid declaring null arrays; prefer to set to empty (EGL)
CRITICAL  Avoid declaring public Fields
Avoid declaring throwing an exception and not throwing it
Avoid Default exclude patterns (excludeParams) in Apache Struts 2.3.20
Avoid #define or #undef macros anywhere other than global namespace
Avoid defining, redefining or undefining standard macros from standard library
Avoid delete operators to exit with an exception.
CRITICAL  Avoid deserialization injection
CRITICAL  Avoid deserialization injection through API requests
Avoid direct access to database Procedures/Functions (JSP)
Avoid direct access to Database Tables
CRITICAL  Avoid direct access to database Tables (ASP)
CRITICAL  Avoid direct access to Database Tables (C# .Net)
Avoid direct access to Database Tables in Javascript
CRITICAL  Avoid direct access to database Tables (JSP)
Avoid direct Class inheritance from java.lang.Throwable
Avoid direct definition of JavaScript Functions in a Web page
Avoid direct definition of JavaScript Functions in a Web page (Javascript/HTML5)
CRITICAL  Avoid directly instantiating a Class used as a Spring bean
CRITICAL  Avoid direct usage of database tables (C++)
CRITICAL  Avoid direct usage of database Tables (C Lang.)
CRITICAL  Avoid Direct usage of database Tables (Visual Basic)
Avoid direct usage of EJB Entity from the client
Avoid direct use of database objects (ASP - JavaScript)
Avoid direct use of Database objects (JSP/ASP)
Avoid disabling authentication mode messages when using MSMQ transport security
Avoid disabling certificate check when requesting secured urls
Avoid disabling custom errors mode to prevent exposure of exceptions and error data
Avoid disabling EnableViewStateMac in ASPX page
CRITICAL  Avoid disabling EnableViewStateMac in Config file
Avoid disabling Header Checking flag in config file
CRITICAL  Avoid disabling HMAC signature verification (C#)
CRITICAL  Avoid disabling OR not defining encryption behavior for encryption when connecting with Database
Avoid disabling source code inspection
Avoid disabling SSL verification in node-curl
CRITICAL  Avoid disabling SSL verification in node-curl (TypeScript)
Avoid disabling Strict Contextual Escaping (SCE) when created
CRITICAL  Avoid disabling the expiration time requirement of a JWT token
CRITICAL  Avoid disabling the expiration time validation of a JWT token
CRITICAL  Avoid disabling the signature requirement of a JWT token
CRITICAL  Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC)
Avoid disabling ValidateInput on controller
CRITICAL  Avoid disabling ValidateRequest in Config file
Avoid disabling withCredentials option for the httpProvider
Avoid disabling xsrf check in HttpClientXsrfModule
CRITICAL  Avoid DispatchEvent function not dispatching constant strings (Flex)
Avoid DISPLAY ... UPON CONSOLE
CRITICAL  Avoid double checked locking
Avoid Duplicate Struts validation forms with the same name
CRITICAL  Avoid dynamic class (Flex)
CRITICAL  Avoid dynamic code injection in WKWebView (Swift)
Avoid EJBs using 'synchronized' qualifier, 'wait', 'notify' and 'notifyAll' Methods
CRITICAL  Avoid empty catch blocks
CRITICAL  Avoid empty catch blocks
CRITICAL  Avoid empty catch blocks
CRITICAL  Avoid empty CATCH blocks (ABAP)
CRITICAL  Avoid empty catch blocks (C# .Net)
Avoid empty catch blocks for methods with high fan-in
CRITICAL  Avoid empty catch blocks (JEE)
CRITICAL  Avoid empty catch blocks (PHP)
CRITICAL  Avoid empty catch statement (Flex)
Avoid empty componentDidCatch blocks
Avoid empty componentDidCatch blocks (Typescript)
Avoid empty finally block
Avoid empty finally block
Avoid empty finally blocks
Avoid empty finally blocks (C# .Net)
Avoid empty finally blocks (JEE)
Avoid Empty Finally Block When Calling Resource
CRITICAL  Avoid empty generic catch blocks (Swift)
CRITICAL  Avoid empty IF-ENDIF blocks
CRITICAL  Avoid empty jQuery ajax error/fail blocks
Avoid enabling autocomplete "on" for inputs/forms
Avoid enabling dangerous protocols in whitelist APIs
CRITICAL  Avoid enabling unsecure Node.js (TypeScript)
CRITICAL  Avoid event dispatched in a constructor (Flex)
Avoid exposing methods that use Platform Invocation Services to access unmanaged code
CRITICAL  Avoid expression language injection
CRITICAL  Avoid expression language injection through API requests
CRITICAL  Avoid external control of system or configuration setting
CRITICAL  Avoid external control of system or configuration setting through API requests
CRITICAL  Avoid Fields in Action Classes that are not final static
CRITICAL  Avoid Fields in Servlet Classes that are not final static
CRITICAL  Avoid file path manipulation vulnerabilities ( CWE-73 )
CRITICAL  Avoid file path manipulation vulnerabilities through API requests
Avoid files that declare both symbols and execute logic with side effects (PHP)
Avoid filtering sensitive data using front-end
CRITICAL  Avoid Form Field without Validator
CRITICAL  Avoid Function and Procedures using Builtin Function "String" (PL1)
Avoid Functions and Procedures doing an Insert, Update or Delete without managing a transaction
Avoid Functions and Procedures doing an Insert, Update or Delete without managing a transaction (SQL)
Avoid Functions and Procedures having a SELECT without the default OTHERWISE clause (PL1)
Avoid Functions and Procedures having subscripts used in arrays or in do loops and not declared as BINARY FIXED(31) (PL1)
Avoid Functions and Procedures not having variable declared on a separate line (PL1)
Avoid Functions and Procedures not testing the SQLCODE return code after each SQL statement (PL1)
CRITICAL  Avoid Functions and Procedures not using the REORDER option (PL1)
Avoid Functions and Procedures using BIN FIXED(15) instead of BIN FIXED(31) for all local variables (PL1)
CRITICAL  Avoid Functions and Procedures using BLKSIZE or RECSIZE (PL1)
Avoid Functions and Procedures with DB2 SQL containing "UNION" clause without "ALL" option (PL1)
Avoid Functions and Procedures with "OR" logical operator in DB2 queries and in cursor definitions (PL1)
CRITICAL  Avoid functions having the optional parameters before the others (PHP)
CRITICAL  Avoid Functions throwing exceptions and not having a @Throws tag (PHP)
Avoid functions without returning exit code (Shell)
CRITICAL  Avoid generating key with insufficient random generator in cookies
Avoid getter functions of computed properties that do not return any value
CRITICAL  Avoid globally bindable classes. (Flex)
CRITICAL  Avoid hard-coded JWT secret keys
CRITICAL  Avoid hardcoded network resource names
Avoid hardcoded network resource names
Avoid hardcoded network resource names in Javascript
CRITICAL  Avoid hardcoded network resource names (Kotlin)
Avoid hardcoded network resource names (.NET, VB)
Avoid hard-coded network resource names (Swift)
Avoid hardcoded network resource names (Typescript)
CRITICAL  Avoid hard-coded password in connection string
Avoid hardcoded passwords
CRITICAL  Avoid hardcoded passwords and credentials (Kotlin)
Avoid hardcoded passwords (Javascript)
Avoid hardcoded passwords (Swift)
Avoid hardcoded passwords (TypeScript)
CRITICAL  Avoid hardcoded timeout in Process Activities (TIBCO BW)
Avoid having applications with the debug mode activated
Avoid having applications with the tracing activated in the source code
Avoid having applications with the tracing activated in the web config file
Avoid having aspx pages with tracing activated
Avoid having boolean operators with non-boolean operands (C/C++)
Avoid having call function return ignored (PHP)
Avoid having code dynamically executed
CRITICAL  Avoid having constructors with a return value (PHP)
Avoid having cookie with an overly broad domain (C#)
Avoid having cookie with an overly broad domain (Javascript)
Avoid having cookie with an overly broad domain (JEE)
CRITICAL  Avoid having cookie with an overly broad domain (TypeScript)
Avoid having errors without throwing them
Avoid having expressions with bool type to be used as operands on operators other than =, &&, ||, !, ==, !=, the unary & operator, and the conditional operator
Avoid having functions with no return (PHP)
Avoid having handleHardIOErrors property enabled (EGL)
Avoid having iframe inside a tag
Avoid having local forward with same name as global forward
Avoid having lock on this object
Avoid having lonely variables (PHP)
Avoid having long timeout for HttpCookie (> 5 mn)
Avoid having MongoDB databases access without authentication activated
Avoid having multiple artifacts deleting data on the same SQL table
Avoid having multiple artifacts deleting data on the same SQL table (EGL)
CRITICAL  Avoid having multiple artifacts deleting data on the same SQL table (PLC)
CRITICAL  Avoid having multiple artifacts deleting data on the same SQL table (PLI)
Avoid having multiple Artifacts inserting data on the same SQL Table
Avoid having multiple artifacts inserting data on the same SQL table (EGL)
CRITICAL  Avoid having multiple artifacts inserting data on the same SQL table (PLC)
CRITICAL  Avoid having multiple artifacts inserting data on the same SQL table (PLI)
Avoid having multiple Artifacts updating data on the same SQL Table
Avoid having multiple artifacts updating data on the same SQL table (EGL)
CRITICAL  Avoid having multiple artifacts updating data on the same SQL table (PLC)
CRITICAL  Avoid having multiple artifacts updating data on the same SQL table (PLI)
CRITICAL  Avoid having overrided record declaration with a duplicate declaration in the same application (EGL)
Avoid having properties with __get and no __set (PHP)
CRITICAL  Avoid having the assignment to "$this" (PHP)
Avoid having the property IncludeExceptionDetailInFaults activated in the source code
Avoid having V60ExceptionCompatibility property set to NO (EGL)
Avoid header files circular references
CRITICAL  Avoid hidden form fields to prevent parameter tampering (Javascript/HTML5)
Avoid hosting HTML code in iframe srcdoc
CRITICAL  Avoid HTTP response splitting through API requests
Avoid Http Session never expires
Avoid "id" attributes for forms as well as submit
Avoid if statements and blocks that are always TRUE or FALSE
Avoid Impersonate Globally
Avoid improper instantiation of argument exceptions
CRITICAL  Avoid improper processing of the execution status of data handling operations
Avoid Include Circular references
Avoid include JavaScript Files
Avoid incoherent file accesses in Cobol programs and DISP clauses in JCL
Avoid inconsistent initialization when deriving a new exception
CRITICAL  Avoid incorrect signature of the message interceptor. (Flex)
CRITICAL  Avoid insecure parameters for Argon2 password encoder
CRITICAL  Avoid insecure parameters for BCrypt password encoder
CRITICAL  Avoid insecure parameters for PBKDF2 password encoder
CRITICAL  Avoid insecure parameters for SCrypt password encoder
CRITICAL  Avoid insecure use of YAML deserialization when using SnakeYaml (JEE)
Avoid instanceof in Methods that override or implement Object.equals(), Comparable.compareTo()
CRITICAL  Avoid instanciating a variable in a loop (Flex)
Avoid instantiating Boolean
Avoid iterator invalidation.
CRITICAL  Avoid Javascript string interpolations to prevent SQL injections
Avoid JavaScript to block page loading
CRITICAL  Avoid JDBC Connections having password type as string (TIBCO BW)
CRITICAL  Avoid JMS Synchronous Activities (TIBCO BW)
Avoid jump statements in finally
Avoid large number of String concatenation
Avoid large number of String concatenation
CRITICAL  Avoid LDAP injection vulnerabilities ( CWE-90 )
CRITICAL  Avoid LDAP injection vulnerabilities through API requests
Avoid lines starting with "#" with invalid pre-processing directive
Avoid local variables that are not initialized at declaration time
Avoid locking of Objects with weak identities
CRITICAL  Avoid Log forging vulnerabilities ( CWE-117 )
CRITICAL  Avoid log forging vulnerabilities through API requests
Avoid Logical Files using DYNSLT (DB400)
CRITICAL  Avoid Logical Files using DYNSLT (DDS400)
Avoid Logical File without associated Physical File (DB400)
CRITICAL  Avoid Logical File without associated Physical File (DDS400)
Avoid Long request parameter names in Struts 2.0.0 - struts 2.3.4
Avoid Main Procedures having LEAVE statement (PL1)
CRITICAL  Avoid Main Procedures not having an ON ERROR clause (PL1)
CRITICAL  Avoid Main procedures using the DATE builtin Function via include PLC (PL1)
Avoid Managed type declaration for Win32 API using Overlapped IO
Avoid manipulating a list while iterating over it
Avoid many-to-many association
Avoid message security without authentication for an anonymous client
CRITICAL  Avoid method metadata argument redundant with the handler name (Flex)
CRITICAL  Avoid Methods and Functions directly access to database tables (PHP)
Avoid missing default in switch statements
Avoid missing default in switch statements (JEE)
Avoid Missing Form Bean in Struts 1.x
CRITICAL  Avoid missing WHEN OTHERS in CASE statements
CRITICAL  Avoid mixing trusted and untrusted data in HTTP requests through API requests
CRITICAL  Avoid modelLocator that is Bindable at a class level (Flex)
CRITICAL  Avoid more than one reference of ModelLocator per class (Flex)
Avoid move constructor and move assignment operator to exit with an exception
Avoid multiple validation form with the same name
Avoid mutable default parameter values
CRITICAL  Avoid MVC injection
CRITICAL  Avoid MVC injection through API requests
CRITICAL  Avoid MXML component with more than 1 public variable (Flex)
CRITICAL  Avoid MXML component with more than 2 public variables (Flex)
Avoid non-public custom exception types
Avoid non serializable Entities
CRITICAL  Avoid non thread safe singleton
CRITICAL  Avoid non validated inputs
Avoid non-void return type function without an explicit return of an expression (C/C++)
CRITICAL  Avoid NoSQL injection on MongoDB (C#)
CRITICAL  Avoid NoSQL injection through API requests
Avoid not enabling throttling while setting service behavior
Avoid NULL Pointer Dereference (C#, VB.NET)
CRITICAL  Avoid numerical data corruption during incompatible mutation
Avoid Objects having exposed pointers allowed to access unmanaged memory
Avoid old VAGen Compatibility statements (EGL)
Avoid orphaned synonyms
Avoid orphaned synonyms in PL/SQL context
CRITICAL  Avoid OS command injection vulnerabilities ( CWE-78 )
CRITICAL  Avoid OS command injection vulnerabilities through API requests
Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy
Avoid override artifacts not having link demands identical to base
CRITICAL  Avoid package configuration having no or wildcard namespace with Struts2
CRITICAL  Avoid packages with misplaced metadata (Flex)
CRITICAL  Avoid packages with unknown metadata attribute (Flex)
Avoid passing an existing array with spread operator as an argument using vararg as parameters (Kotlin)
Avoid passing parameter by value
Avoid passing the variables of a function by reference(PHP)
Avoid PB Function/Event/Method accessing Database Procedures or Functions
Avoid PB Function/Event/Method accessing Database Tables (PowerBuilder)
Avoid PHP Dangerous Feature (PHP)
Avoid Physical File updated by multiple program (DB400)
Avoid PL1 Errors Blocks having ON ERROR SYSTEM blocks and not containing and displaying ONCODE and ONLOC (PL1)
CRITICAL  Avoid plaintext storage of password
CRITICAL  Avoid PLC Copybooks using FIXED variable type declaration (PL1)
CRITICAL  Avoid PLC Copybooks using variables with ALLOCATE and without FREE (PL1)
Avoid PLC Copybook with a very low comment/code ratio (PL1)
Avoid PLC Procedures & Functions with a very low comment/code ratio (PL1)
CRITICAL  Avoid PLI Main procedures using variables with ALLOCATE and without FREE (PL1)
Avoid PLI Procedures & Functions with a very low comment/code ratio (PL1)
CRITICAL  Avoid popup using dynamic filters (Flex)
CRITICAL  Avoid Procedures using an Insert, Update, Delete, Create Table or Select without including error management
CRITICAL  Avoid process control
CRITICAL  Avoid process control through API requests
CRITICAL  Avoid Processes using JDBC SQL Direct (TIBCO BW)
Avoid processing Google Sign In Client without catching error
CRITICAL  Avoid program calls outside a try end block (EGL)
CRITICAL  Avoid Program calls without checking the return code (EGL)
Avoid Programs accessing directly to Physical Files (RPG300)
Avoid Programs accessing directly to Physical Files (RPG400)
Avoid Programs accessing directly to Physical Files (RPG_FP)
Avoid Programs accessing more than X physical files (RPG300)
Avoid Programs accessing more than X physical files (RPG400)
Avoid Programs accessing more than X physical files (RPG_FP)
Avoid Programs declaring STATIC variables (PL1)
Avoid Programs having cursors that doesn't contain the "FOR UPDATE" clause and not containing the "FOR READ ONLY" or "FOR FETCH ONLY" clause (PL1)
Avoid Programs having files declared and not having the ON UNDF or ON UNDEFINEDFILE statement except SYSPRINT and SYSIN (PL1)
Avoid Programs having files declared as RECORD INPUT or RECORD UPDATE and not having the ON EOF or ON ENDFILE statement (PL1)
Avoid Programs having FIXED without BIN or BINARY or DEC or DECIMAL.The character "(" is mandatory. (PL1)
Avoid programs not having the property allowUnqualifiedItemReferences set to YES (EGL)
Avoid programs not having the property I4GLItemsNullable set to NO (EGL)
Avoid Programs not having the property includeReferencedFunctions set to YES (EGL)
CRITICAL  Avoid Programs not using explicitly OPEN and CLOSE files (PL1)
Avoid Programs overriding the *PROCESS statement (PL1)
Avoid providing password in Web Service URL
Avoid providing password in Web Service URL
Avoid providing password in Web Service URL
Avoid providing password in Web Service URL
Avoid Psysical Files using large buffers (DB400)
Avoid public/protected setter for the generated identifier field
CRITICAL  Avoid public variables inside a custom event (Flex)
Avoid Python string interpolations to prevent SQL injections
Avoid queries using old style join convention instead of ANSI-Standard joins
Avoid raising an exception in a Web Dynpro Supply Function or in a Method called by a Supply Function
Avoid raising exceptions in unexpected location
CRITICAL  Avoid Record Column without having the same nullable requirement as the corresponding SQL Table column (EGL)
CRITICAL  Avoid Reflected Cross-site Scripting (Non Persistent)
CRITICAL  Avoid reflection injection
CRITICAL  Avoid reflection injection through API requests
CRITICAL  Avoid Regular expression injection
CRITICAL  Avoid Regular expression injection through API requests
CRITICAL  Avoid resource injection
CRITICAL  Avoid resource injection through API requests
CRITICAL  Avoid resource URL manipulation
CRITICAL  Avoid resource URL manipulation through API requests
Avoid rethrow exception explicitly
Avoid returning null from non-async Task/Task method
Avoid returning null from ToString()
Avoid return statement in @finally block
Avoid return statement in @finally block
Avoid return statement in finally block
Avoid return statement in finally block
Avoid return statements in finally blocks (JEE)
Avoid scripts and functions using SQL static statements (Shell)
Avoid scripts and functions with SQL code in temporary files (Shell)
CRITICAL  Avoid second order deserialization injection
CRITICAL  Avoid second order expression language injection
CRITICAL  Avoid second order LDAP injection
CRITICAL  Avoid second order OS command injection
CRITICAL  Avoid second order Regular expression injection
CRITICAL  Avoid second order server-side request forgery
CRITICAL  Avoid second order SQL injection
CRITICAL  Avoid second order URL redirection to untrusted site
CRITICAL  Avoid second order XPath injection
CRITICAL  Avoid second order XQuery injection
CRITICAL  Avoid Sections directly access to database tables (PHP)
CRITICAL  Avoid server-side request forgery
CRITICAL  Avoid server-side request forgery through API requests
Avoid Session Fixation (PHP)
Avoid setting android:grantUriPermissions as True
CRITICAL  Avoid setting a pointer to the address of a local variable defined in a lower scope
Avoid shadowing class variables
Avoid SQL injection in dynamic SQL for Oracle
CRITICAL  Avoid SQL injection vulnerabilities ( CWE-89 )
CRITICAL  Avoid SQL injection vulnerabilities through API requests
CRITICAL  Avoid SQL query outside try-on block (EGL)
CRITICAL  Avoid Stateful Beans not removed
Avoid static Field of type collection
Avoid static Fields that are not final
Avoid Stored Procedures not returning a status value
CRITICAL  Avoid storing Non-Serializable Object as HttpSessionState attributes.
Avoid storing passwords in Comments
Avoid storing passwords in the config files
Avoid String concatenation in loops for artifacts with high fan in
Avoid String initialization with String object (created using the 'new' keyword)
CRITICAL  Avoid string interpolations to prevent SQL injections (TypeScript)
CRITICAL  Avoid Struts 2 Action Fields without Validation
Avoid Struts 2 Validator field not referencing a java class field
Avoid Struts action Mapping with disabled validator
CRITICAL  Avoid Struts Invalidated Action Form 1.x
CRITICAL  Avoid switch statement without a default statement (Flex)
Avoid synchronizing the credentials with iCloud
Avoid synchronizing the credentials with iCloud
Avoid synchronizing the credentials with iCloud (Swift)
Avoid table and column names that are too long (portability)
CRITICAL  Avoid Tables without Primary Key
CRITICAL  Avoid test containing a hard coded boolean value. (Flex)
CRITICAL  Avoid testing floating point numbers for equality
Avoid testing floating point numbers for equality
CRITICAL  Avoid testing specific values for SY-UNAME
Avoid