CAST Appmarq
  • Benchmark Analytics
  • Demographics
  • CRASH Reports
  • Signin Register

Health Factors

  Total Quality Index (TQI)

3786 rules

Total Quality Index measures the general maintainability level of the application based on hundreds of metrics provided by CAST.

  Robustness

1426 rules

Robustness measures the level of risk and the likelihood of having application failures and defects resulting from modifications.

  Security

1418 rules

Security measures the likelihood of potential security breaches linked to coding practices and application source code.

  Efficiency

535 rules

Efficiency measures the likelihood of potential performance bottlenecks and the potential future scalability issues linked to coding practices.

  Changeability

1292 rules

Changeability measures how easily applications can be modified in order to implement new features, correct errors, or change the applications environment.

  Transferability

1284 rules

Transferability measures how easily applications can be moved across teams or team members including in-house and outsourced development teams.
Want more stats? Register now!

Quality Rules

Abstract Classes should be non copy-assignable

CRITICAL  A Class that has pointer data members must provide a copy Constructor

CRITICAL  Action Artifacts should not directly call a JSP page

CRITICAL  Action Artifacts should not directly use database objects

Action Classes should have only one public method

Action Classes should only be called by Action Mappings tag (for Struts 1.x) or Action tag (for Struts 2.x)

Action Classes should only call Business Classes

All ALLOCATE statements in Fortran-90 Functions must use the return code STAT (Fortran)

All ALLOCATE statements in Fortran-90 Modules must use the return code STAT (Fortran)

All ALLOCATE statements in Fortran-90 Programs must use the return code STAT (Fortran)

All ALLOCATE statements in Fortran-90 Subroutines must use the return code STAT (Fortran)

All constructors that are callable with a single argument of fundamental type shall be declared explicit.

Allow only HTTPS communication

All Read and Write statements in Functions must use the return code IOSTAT (Fortran)

All Read and Write statements in Modules must use the return code IOSTAT (Fortran)

All Read and Write statements in Programs must use the return code IOSTAT (Fortran)

All Read and Write statements in Subroutines must use the return code IOSTAT (Fortran)

All traffic to particular domains should use HTTPS

All types of a serializable class must be serializable

All types of a serializable Class must be serializable

Always activate unlockedDeviceRequired to avoid data decryption when device is unlocked

Always avoid http redirects to unknown or untrusted URLs

Always check all the BiometricPrompt acquired options in the onAuthenticationSucceeded method

Always check all the BiometricPrompt error options in the onAuthenticationError method

Always check the device supports Biometric capability before using BiometricPrompt API

CRITICAL  Always define column names when inserting values

CRITICAL  Always enable authorization checks at function level for functions called on by APIs

CRITICAL  Always enabled validateRequest in ASPX page

Always enable HttpOnly for cookies in Config file

Always enable RequireSSL attribute for cookies in Config file (ASP.NET)

Always enable validation input when doing ASP.NET Http Post/Put Request

Always handle errors when using ajax with RxJS

Always implement done, fail and/or always callbacks for $.ajax calls when using jQuery 3.0 (and latest)

CRITICAL  Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream

CRITICAL  Always implement the success/error/complete or done/fail/always callbacks when using jQuery ajax call

Always manage the BiometricPrompt onAuthenticationFailed method

Always mark Windows Forms starting point as STAThread

Always pass optional parameters too, when making 'base' calls

CRITICAL  Always protect against CSRF in FastAPI application

CRITICAL  Always protect against CSRF in Flask application

Always provide deserialization methods for optional fields

Always provide error callbacks when subscribing to HttpClient observables

Always Revert After Impersonation

Always unsubscribe events in Angular onDestroy method

Always use ConfigureAwait(false) in library code awaited tasks

CRITICAL  Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application

Always use JSON.parse & JSON.stringify with try/catch block (Javascript)

Always use JSON.parse & JSON.stringify with try/catch block (TypeScript)

Always use LAContext canEvaluatePolicy: before using evaluatePolicy:

Always use LAContext canEvaluatePolicy: before using evaluatePolicy:

Always use LAContext canEvaluatePolicy before using evaluatePolicy (Swift)

Always use onActivityResult to pass the login results when using Facebook SDK

Always use System.Uri instead of string to build URLs

CRITICAL  Always validate user input with Request variables

A permission is required for securing Activities

A permission is required for securing Receivers

A permission is required for securing Services

Apply signature-based permissions

Architecture Check: CACEIS:Avoid deprecated programs (Error)

Architecture Check: CACEIS:Avoid deprecated programs (Warning)

Architecture Check: Clarity Allowed

Architecture Check: Database Access Validation Architecture Model

A Read permission is required to read data of Content Provider

Arguments to a function-like macro shall not contain tokens that look like preprocessing directives.

Assignment operator should assign all non-static members of the target object

Authorization check should be done before calling a transaction

CRITICAL  Avoid accessing SAP standard Tables in modification from custom code

Avoid Action artifacts that call packages that reference database

CRITICAL  Avoid Action Mapping based on wildcards with Struts 2.3.14.2 and older versions

CRITICAL  Avoid action mappings validator turned off

CRITICAL  Avoid addEventListener containing hard coded strings (Flex)

CRITICAL  Avoid adding or removing displayable children from updateDisplayList (Flex specific) (Flex)

CRITICAL  Avoid AE Schema with Target namespace not defined (TIBCO BW)

Avoid allowing File IO unrestricted access

CRITICAL  Avoid * and use strongly typed objects instead in fields (Flex)

CRITICAL  Avoid * and use strongly typed objects instead in variables (Flex)

Avoid any non-static data members not initialized in constructor

CRITICAL  Avoid ArrayElementType metadata not specified for the array-type field (Flex)

Avoid artifacts having db.collection.ensureIndex() to create new indexes

Avoid artifacts having Incorrect Type Conversion or Cast

Avoid Avoid Cookie Misconfiguration (PHP)

CRITICAL  Avoid BindingUtils class that uses hard coded strings (Flex)

Avoid blocking async methods (.NET, VB)

CRITICAL  Avoid Buffer Overruns when using ADD, SUBTRACT, MULTIPLY, DIVIDE & COMPUTE statement inside a loop

Avoid bypassing angular security trust

Avoid bypassing self-signed ssl certificate (Node.js)

CRITICAL  Avoid bypassing self-signed ssl certificate with Node.js (TypeScript)

CRITICAL  Avoid CairngormEventDispatcher called explicitly (Flex)

CRITICAL  Avoid calling Alert.show directly (Flex)

Avoid calling blocking functions with an infinite timeout

CRITICAL  Avoid calling callLater explicitly (Flex specific) (Flex)

CRITICAL  Avoid calling CoSetProxyBlanket and CoInitializeSecurity

Avoid calling database commands directly using system functions as "C_DB_EXECUTE" and "C_DB_FUNCTION"

Avoid calling finalize()

Avoid calling programs statically

CRITICAL  Avoid Calling RFC Function Module without Authorization Check

CRITICAL  Avoid calling system function (CALL 'cfunc') BETA

CRITICAL  Avoid calling unsafe C library functions from COBOL

Avoid calls between JSP Pages

CRITICAL  Avoid calls to the StyleManager that do not pass FALSE as the second parameter (Flex)

Avoid catch-all except blocks with empty handlers

Avoid 'catch-all' statement

Avoid catch blocks with assertion

Avoid catching an exception of type Exception (C# .Net)

Avoid catching an exception of type Exception, RuntimeException, or Throwable

Avoid catching an exception of type Exception, RuntimeException, or Throwable (JEE)

CRITICAL  Avoid ChangeWatcher class that uses hard coded strings to specify the attribute name, to listen to. Prefer listening to events or setters (Flex)

Avoid changing parent properties from child components using $parent

CRITICAL  Avoid checking Integer overflow without explicit cast

Avoid circular references between header files

CRITICAL  Avoid classes exceeding maximum length (PHP)

CRITICAL  Avoid Classes using "new" to allocate Instances but not defining a copy Constructor

Avoid Classes with a copy Constructor and the default Destructor or assignment operator

Avoid Classes with a High Public Data Ratio

Avoid Classes with a High Public Data Ratio (C++)

Avoid Classes with a High Public Data Ratio (C# .Net)

Avoid Classes with a High Public Data Ratio (JEE)

Avoid Classes with a High Public Data Ratio (PowerBuilder)

Avoid Classes with a High Public Data Ratio (Visual Basic)

Avoid Classes with an assignment operator and the default Destructor or assignment operator

Avoid Classes with a non-empty Destructor and the default assignment operator or copy Constructor

CRITICAL  Avoid classes with misplaced metadata (Flex)

CRITICAL  Avoid classes with unknown metadata attribute (Flex)

Avoid client provided dictionaries to have high request sizes

CRITICAL  Avoid clone event not overiden in a custom event (Flex)

CRITICAL  Avoid code injection

CRITICAL  Avoid code injection (PHP)

CRITICAL  Avoid code injection through API requests

CRITICAL  Avoid comparing passwords against hard-coded strings

Avoid comparing types of different widths in a loop

Avoid Constructors not supplying an initial value for all non-static data members

CRITICAL  Avoid constructor with a return type (Flex)

CRITICAL  Avoid control statement in Constructor (must be as lightweight as possible) (Flex)

CRITICAL  Avoid cookie injection

CRITICAL  Avoid cookie injection (PHP)

CRITICAL  Avoid cookie poisoning

CRITICAL  Avoid copying needless the variables (PHP)

CRITICAL  Avoid creating application cookie without SameSite option (PHP)

Avoid creating cookies without enabling httponly attribute

Avoid creating cookie without setting httpOnly option

Avoid creating cookie without setting httpOnly option (Javascript)

CRITICAL  Avoid creating cookie without setting httpOnly option (PHP)

CRITICAL  Avoid creating cookie without setting httpOnly option (TypeScript)

CRITICAL  Avoid creating cookie without setting SameSite option (JEE)

CRITICAL  Avoid creating cookie with overly broad domain (AngularJS)

Avoid creating cookie with overly broad domain (Node.js)

CRITICAL  Avoid creating cookie with overly broad domain (Vue.js)

CRITICAL  Avoid creating cookie with overly broad path (AngularJS)

Avoid creating cookie with overly broad path (C#)

Avoid creating cookie with overly broad path (Javascript)

Avoid creating cookie with overly broad path (JEE)

Avoid creating cookie with overly broad path (Node.js)

CRITICAL  Avoid creating cookie with overly broad path (TypeScript)

CRITICAL  Avoid creating cookie with overly broad path (Vue.js)

Avoid creating file without protection

Avoid creating file without protection

Avoid creating file without protection (Swift)

CRITICAL  Avoid creating unsecured HTTPS GET metadata endpoint in code

CRITICAL  Avoid creating unsecured HTTPS GET metadata endpoint in configuration

CRITICAL  Avoid creation of temporary file with insecure permissions (JEE)

Avoid Cross-Client Database Access using Open SQL statements with CLIENT SPECIFIED/USING CLIENT addition

CRITICAL  Avoid cross-site scripting DOM vulnerabilities ( CWE-79 )

CRITICAL  Avoid Cross-Site Scripting (Persistent)

CRITICAL  Avoid cross-site scripting (persistent) (PHP)

CRITICAL  Avoid cross-site scripting (persistent) (Python)

Avoid cross site scripting (single quoted attribute) (PHP)

CRITICAL  Avoid cross-site scripting through API requests

CRITICAL  Avoid cross-site scripting within events such as onclick, onmouseover ... events (Razor)

Avoid custom code with OSS notes

CRITICAL  Avoid cyclical calls and inheritances between namespaces content

CRITICAL  Avoid cyclical calls and inheritances between packages

Avoid cyclic calls between Event and its handled Method

Avoid cyclic references in the definition of CDS views (S4/HAHA)

CRITICAL  Avoid dangerous file inclusion

CRITICAL  Avoid dangerous file inclusion (JSTL) (Javascript/HTML5)

CRITICAL  Avoid dangerous File Upload

Avoid database tables associated to more than one Entity

Avoid data fields binded to columns to return sensitive data via APIs

CRITICAL  Avoid data filter injection

CRITICAL  Avoid data filter injection through API requests

Avoid data members that are not private

Avoid Datawindows accessing Database Procedures or Functions

Avoid Datawindows accessing Database Tables (PowerBuilder)

Avoid Datawindows that does not access a database data

Avoid debug binaries that include detailed debug information

Avoid debug code in the production system (PHP)

Avoid debug forging

Avoid debug forging through API requests

Avoid declaring Final Instance Variables that are not dynamically initialized

Avoid declaring Inner Classes

Avoid declaring Instance Variables without defined access type

Avoid declaring Non Final Class Variables with Public or Package access type

CRITICAL  Avoid declaring null arrays; prefer to set to empty (EGL)

CRITICAL  Avoid declaring public Fields

Avoid declaring throwing an exception and not throwing it

Avoid Default exclude patterns (excludeParams) in Apache Struts 2.3.20

Avoid #define or #undef macros anywhere other than global namespace

Avoid defining, redefining or undefining standard macros from standard library

Avoid delete operators to exit with an exception.

CRITICAL  Avoid deserialization injection

CRITICAL  Avoid deserialization injection (PHP)

CRITICAL  Avoid deserialization injection through API requests

Avoid direct access to database Procedures/Functions (JSP)

Avoid direct access to Database Tables

CRITICAL  Avoid direct access to database Tables (ASP)

CRITICAL  Avoid direct access to Database Tables (C# .Net)

Avoid direct access to Database Tables in Javascript

CRITICAL  Avoid direct access to database Tables (JSP)

Avoid direct Class inheritance from java.lang.Throwable

Avoid direct definition of JavaScript Functions in a Web page

Avoid direct definition of JavaScript Functions in a Web page (Javascript/HTML5)

CRITICAL  Avoid directly instantiating a Class used as a Spring bean

CRITICAL  Avoid direct usage of database tables (C++)

CRITICAL  Avoid direct usage of database Tables (C Lang.)

CRITICAL  Avoid Direct usage of database Tables (Visual Basic)

Avoid direct usage of EJB Entity from the client

Avoid direct use of database objects (ASP - JavaScript)

Avoid direct use of Database objects (JSP/ASP)

Avoid disabling authentication mode messages when using MSMQ transport security

Avoid disabling certificate check when requesting secured urls

CRITICAL  Avoid disabling CSRF Protection in fastapi_jwt_auth

Avoid disabling custom errors mode to prevent exposure of exceptions and error data

Avoid disabling EnableViewStateMac in ASPX page

CRITICAL  Avoid disabling EnableViewStateMac in Config file

Avoid disabling Header Checking flag in config file

CRITICAL  Avoid disabling HMAC signature verification (C#)

CRITICAL  Avoid disabling OR not defining encryption behavior for encryption when connecting with Database

Avoid disabling source code inspection

Avoid disabling SSL verification in node-curl

CRITICAL  Avoid disabling SSL verification in node-curl (TypeScript)

Avoid disabling Strict Contextual Escaping (SCE) when created

CRITICAL  Avoid disabling the automatic HTML escaping for Spring

CRITICAL  Avoid disabling the expiration time requirement of a JWT token

CRITICAL  Avoid disabling the expiration time validation of a JWT token

CRITICAL  Avoid disabling the signature requirement of a JWT token

CRITICAL  Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC)

Avoid disabling ValidateInput on controller

CRITICAL  Avoid disabling ValidateRequest in Config file

Avoid disabling withCredentials option for the httpProvider

Avoid disabling xsrf check in HttpClientXsrfModule

CRITICAL  Avoid DispatchEvent function not dispatching constant strings (Flex)

Avoid DISPLAY ... UPON CONSOLE

CRITICAL  Avoid double checked locking

Avoid Duplicate Struts validation forms with the same name

CRITICAL  Avoid dynamic class (Flex)

CRITICAL  Avoid dynamic code injection in WKWebView (Swift)

CRITICAL  Avoid Dynamic Function/Method call without Authorization Check

Avoid EJBs using 'synchronized' qualifier, 'wait', 'notify' and 'notifyAll' Methods

CRITICAL  Avoid empty catch blocks

CRITICAL  Avoid empty catch blocks

CRITICAL  Avoid empty catch blocks

CRITICAL  Avoid empty CATCH blocks (ABAP)

CRITICAL  Avoid empty catch blocks (C# .Net)

Avoid empty catch blocks for methods with high fan-in

CRITICAL  Avoid empty catch blocks (JEE)

CRITICAL  Avoid empty catch blocks (PHP)

CRITICAL  Avoid empty catch statement (Flex)

Avoid empty componentDidCatch blocks

Avoid empty componentDidCatch blocks (Typescript)

Avoid empty finally block

Avoid empty finally block

Avoid empty finally blocks

Avoid empty finally blocks (C# .Net)

Avoid empty finally blocks (JEE)

Avoid Empty Finally Block When Calling Resource

CRITICAL  Avoid empty generic catch blocks (Swift)

CRITICAL  Avoid empty IF-ENDIF blocks

CRITICAL  Avoid empty jQuery ajax error/fail blocks

Avoid enabling autocomplete "on" for inputs/forms

Avoid enabling dangerous protocols in whitelist APIs

CRITICAL  Avoid enabling unsecure Node.js (TypeScript)

CRITICAL  Avoid eval injection (PHP)

CRITICAL  Avoid event dispatched in a constructor (Flex)

Avoid exposing methods that use Platform Invocation Services to access unmanaged code

CRITICAL  Avoid expression language injection

CRITICAL  Avoid expression language injection through API requests

CRITICAL  Avoid external control of system or configuration setting

CRITICAL  Avoid external control of system or configuration setting through API requests

CRITICAL  Avoid Fields in Action Classes that are not final static

CRITICAL  Avoid Fields in Servlet Classes that are not final static

CRITICAL  Avoid file path manipulation (PHP)

CRITICAL  Avoid file path manipulation (Python)

CRITICAL  Avoid file path manipulation vulnerabilities ( CWE-73 )

CRITICAL  Avoid file path manipulation vulnerabilities through API requests

Avoid files that declare both symbols and execute logic with side effects (PHP)

Avoid filtering sensitive data using front-end

CRITICAL  Avoid Form Field without Validator

CRITICAL  Avoid Function and Procedures using Builtin Function "String" (PL1)

Avoid Functions and Procedures doing an Insert, Update or Delete without managing a transaction

Avoid Functions and Procedures doing an Insert, Update or Delete without managing a transaction (SQL)

Avoid Functions and Procedures having a SELECT without the default OTHERWISE clause (PL1)

Avoid Functions and Procedures having subscripts used in arrays or in do loops and not declared as BINARY FIXED(31) (PL1)

Avoid Functions and Procedures not having variable declared on a separate line (PL1)

Avoid Functions and Procedures not testing the SQLCODE return code after each SQL statement (PL1)

CRITICAL  Avoid Functions and Procedures not using the REORDER option (PL1)

Avoid Functions and Procedures using BIN FIXED(15) instead of BIN FIXED(31) for all local variables (PL1)

CRITICAL  Avoid Functions and Procedures using BLKSIZE or RECSIZE (PL1)

Avoid Functions and Procedures with DB2 SQL containing "UNION" clause without "ALL" option (PL1)

Avoid Functions and Procedures with "OR" logical operator in DB2 queries and in cursor definitions (PL1)

CRITICAL  Avoid functions having the optional parameters before the others (PHP)

CRITICAL  Avoid Functions throwing exceptions and not having a @Throws tag (PHP)

Avoid functions without returning exit code (Shell)

CRITICAL  Avoid generating key with insufficient random generator in cookies

Avoid getter functions of computed properties that do not return any value

CRITICAL  Avoid globally bindable classes. (Flex)

CRITICAL  Avoid hard-coded JWT secret keys

CRITICAL  Avoid hardcoded network resource names

Avoid hardcoded network resource names

Avoid hardcoded network resource names in Javascript

CRITICAL  Avoid hardcoded network resource names (Kotlin)

Avoid hardcoded network resource names (.NET, VB)

Avoid hard-coded network resource names (Swift)

Avoid hardcoded network resource names (Typescript)

CRITICAL  Avoid hard-coded password in connection string

Avoid hardcoded passwords

CRITICAL  Avoid hardcoded passwords and credentials (Kotlin)

Avoid hardcoded passwords (Javascript)

Avoid hardcoded passwords (Swift)

Avoid hardcoded passwords (TypeScript)

CRITICAL  Avoid hardcoded timeout in Process Activities (TIBCO BW)

Avoid having applications with the debug mode activated

Avoid having applications with the tracing activated in the source code

Avoid having applications with the tracing activated in the web config file

Avoid having aspx pages with tracing activated

Avoid having boolean operators with non-boolean operands (C/C++)

Avoid having call function return ignored (PHP)

Avoid having code dynamically executed

CRITICAL  Avoid having constructors with a return value (PHP)

Avoid having cookie with an overly broad domain (C#)

Avoid having cookie with an overly broad domain (Javascript)

Avoid having cookie with an overly broad domain (JEE)

CRITICAL  Avoid having cookie with an overly broad domain (TypeScript)

Avoid having errors without throwing them

Avoid having expressions with bool type to be used as operands on operators other than =, &&, ||, !, ==, !=, the unary & operator, and the conditional operator

Avoid having functions with no return (PHP)

Avoid having handleHardIOErrors property enabled (EGL)

Avoid having iframe inside a tag

Avoid having local forward with same name as global forward

Avoid having lock on this object

Avoid having lonely variables (PHP)

Avoid having long timeout for HttpCookie (> 5 mn)

Avoid having MongoDB databases access without authentication activated

Avoid having multiple artifacts deleting data on the same SQL table

Avoid having multiple artifacts deleting data on the same SQL table (EGL)

CRITICAL  Avoid having multiple artifacts deleting data on the same SQL table (PLC)

CRITICAL  Avoid having multiple artifacts deleting data on the same SQL table (PLI)

Avoid having multiple Artifacts inserting data on the same SQL Table

Avoid having multiple artifacts inserting data on the same SQL table (EGL)

CRITICAL  Avoid having multiple artifacts inserting data on the same SQL table (PLC)

CRITICAL  Avoid having multiple artifacts inserting data on the same SQL table (PLI)

Avoid having multiple Artifacts updating data on the same SQL Table

Avoid having multiple artifacts updating data on the same SQL table (EGL)

CRITICAL  Avoid having multiple artifacts updating data on the same SQL table (PLC)

CRITICAL  Avoid having multiple artifacts updating data on the same SQL table (PLI)

CRITICAL  Avoid having overrided record declaration with a duplicate declaration in the same application (EGL)

Avoid having properties with __get and no __set (PHP)

CRITICAL  Avoid having the assignment to "$this" (PHP)

Avoid having the property IncludeExceptionDetailInFaults activated in the source code

Avoid having V60ExceptionCompatibility property set to NO (EGL)

Avoid header files circular references

CRITICAL  Avoid hidden form fields to prevent parameter tampering (Javascript/HTML5)

Avoid hosting HTML code in iframe srcdoc

CRITICAL  Avoid HTTP header injection (Python)

CRITICAL  Avoid HTTP response splitting through API requests

Avoid Http Session never expires

Avoid "id" attributes for forms as well as submit

Avoid if statements and blocks that are always TRUE or FALSE

Avoid Impersonate Globally

Avoid improper instantiation of argument exceptions

CRITICAL  Avoid improper neutralization of HTTP headers (PHP)

CRITICAL  Avoid improper processing of the execution status of data handling operations

Avoid Include Circular references

Avoid include JavaScript Files

Avoid incoherent file accesses in Cobol programs and DISP clauses in JCL

Avoid inconsistent initialization when deriving a new exception

CRITICAL  Avoid incorrect signature of the message interceptor. (Flex)

CRITICAL  Avoid Insecure dynamic call of a function module through variable P_NAME

CRITICAL  Avoid insecure parameters for Argon2 password encoder

CRITICAL  Avoid insecure parameters for BCrypt password encoder

CRITICAL  Avoid insecure parameters for PBKDF2 password encoder

CRITICAL  Avoid insecure parameters for SCrypt password encoder

CRITICAL  Avoid insecure use of YAML deserialization when using SnakeYaml (JEE)

Avoid instanceof in Methods that override or implement Object.equals(), Comparable.compareTo()

CRITICAL  Avoid instanciating a variable in a loop (Flex)

Avoid instantiating Boolean

Avoid iterator invalidation.

CRITICAL  Avoid Javascript string interpolations to prevent SQL injections

Avoid JavaScript to block page loading

CRITICAL  Avoid JDBC Connections having password type as string (TIBCO BW)

CRITICAL  Avoid JMS Synchronous Activities (TIBCO BW)

Avoid jump statements in finally

Avoid large number of String concatenation

Avoid large number of String concatenation

CRITICAL  Avoid LDAP injection (PHP)

CRITICAL  Avoid LDAP injection (Python)

CRITICAL  Avoid LDAP injection vulnerabilities ( CWE-90 )

CRITICAL  Avoid LDAP injection vulnerabilities through API requests

CRITICAL  Avoid leaving temporary files in directory (JEE)

Avoid lines starting with "#" with invalid pre-processing directive

Avoid local variables that are not initialized at declaration time

Avoid locking of Objects with weak identities

CRITICAL  Avoid Log forging vulnerabilities ( CWE-117 )

CRITICAL  Avoid log forging vulnerabilities through API requests

CRITICAL  Avoid logging sensitive data (Python)

Avoid Logical Files using DYNSLT (DB400)

CRITICAL  Avoid Logical Files using DYNSLT (DDS400)

Avoid Logical File without associated Physical File (DB400)

CRITICAL  Avoid Logical File without associated Physical File (DDS400)

Avoid Long request parameter names in Struts 2.0.0 - struts 2.3.4

Avoid Main Procedures having LEAVE statement (PL1)

CRITICAL  Avoid Main Procedures not having an ON ERROR clause (PL1)

CRITICAL  Avoid Main procedures using the DATE builtin Function via include PLC (PL1)

Avoid Managed type declaration for Win32 API using Overlapped IO

Avoid manipulating a list while iterating over it

Avoid many-to-many association

Avoid message security without authentication for an anonymous client

CRITICAL  Avoid method metadata argument redundant with the handler name (Flex)

CRITICAL  Avoid Methods and Functions directly access to database tables (PHP)

Avoid missing default in switch statements

Avoid missing default in switch statements (JEE)

Avoid Missing Form Bean in Struts 1.x

CRITICAL  Avoid missing WHEN OTHERS in CASE statements

CRITICAL  Avoid mixing trusted and untrusted data in HTTP requests (PHP)

CRITICAL  Avoid mixing trusted and untrusted data in HTTP requests (Python)

CRITICAL  Avoid mixing trusted and untrusted data in HTTP requests through API requests

CRITICAL  Avoid modelLocator that is Bindable at a class level (Flex)

CRITICAL  Avoid more than one reference of ModelLocator per class (Flex)

Avoid move constructor and move assignment operator to exit with an exception

Avoid multiple validation form with the same name

Avoid mutable default parameter values

CRITICAL  Avoid MVC injection

CRITICAL  Avoid MVC injection through API requests

CRITICAL  Avoid MXML component with more than 1 public variable (Flex)

CRITICAL  Avoid MXML component with more than 2 public variables (Flex)

Avoid non-public custom exception types

Avoid non serializable Entities

Avoid non serializable Entity beans

CRITICAL  Avoid non thread safe singleton

CRITICAL  Avoid non validated inputs

Avoid non-void return type function without an explicit return of an expression (C/C++)

CRITICAL  Avoid NoSQL injection on MongoDB (C#)

CRITICAL  Avoid NoSQL injection through API requests

Avoid not enabling throttling while setting service behavior

Avoid NULL Pointer Dereference (C#, VB.NET)

CRITICAL  Avoid numerical data corruption during incompatible mutation

CRITICAL  Avoid numeric user inputs in SQL queries

CRITICAL  Avoid numeric user inputs in SQL queries through API requests

Avoid Objects having exposed pointers allowed to access unmanaged memory

CRITICAL  Avoid observable authentication response discrepancy (Python)

Avoid old VAGen Compatibility statements (EGL)

Avoid orphaned synonyms

Avoid orphaned synonyms in PL/SQL context

CRITICAL  Avoid OS command injection (PHP)

CRITICAL  Avoid OS command injection (Python)

CRITICAL  Avoid OS command injection vulnerabilities ( CWE-78 )

CRITICAL  Avoid OS command injection vulnerabilities through API requests

Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy

CRITICAL  Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python)

Avoid override artifacts not having link demands identical to base

CRITICAL  Avoid package configuration having no or wildcard namespace with Struts2

CRITICAL  Avoid packages with misplaced metadata (Flex)

CRITICAL  Avoid packages with unknown metadata attribute (Flex)

CRITICAL  Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP)

CRITICAL  Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)

Avoid passing an existing array with spread operator as an argument using vararg as parameters (Kotlin)

Avoid passing parameter by value

Avoid passing the variables of a function by reference(PHP)

Avoid PB Function/Event/Method accessing Database Procedures or Functions

Avoid PB Function/Event/Method accessing Database Tables (PowerBuilder)

Avoid PHP Dangerous Feature (PHP)

CRITICAL  Avoid PHP Remote File Inclusion (PHP)

Avoid Physical File updated by multiple program (DB400)

Avoid PL1 Errors Blocks having ON ERROR SYSTEM blocks and not containing and displaying ONCODE and ONLOC (PL1)

CRITICAL  Avoid plaintext storage of password

CRITICAL  Avoid PLC Copybooks using FIXED variable type declaration (PL1)

CRITICAL  Avoid PLC Copybooks using variables with ALLOCATE and without FREE (PL1)

Avoid PLC Copybook with a very low comment/code ratio (PL1)

Avoid PLC Procedures & Functions with a very low comment/code ratio (PL1)

CRITICAL  Avoid PLI Main procedures using variables with ALLOCATE and without FREE (PL1)

Avoid PLI Procedures & Functions with a very low comment/code ratio (PL1)

CRITICAL  Avoid popup using dynamic filters (Flex)

CRITICAL  Avoid Procedures using an Insert, Update, Delete, Create Table or Select without including error management

CRITICAL  Avoid process control

CRITICAL  Avoid process control through API requests

CRITICAL  Avoid Processes using JDBC SQL Direct (TIBCO BW)

Avoid processing Google Sign In Client without catching error

CRITICAL  Avoid program calls outside a try end block (EGL)

CRITICAL  Avoid Program calls without checking the return code (EGL)

Avoid Programs accessing directly to Physical Files (RPG300)

Avoid Programs accessing directly to Physical Files (RPG400)

Avoid Programs accessing directly to Physical Files (RPG_FP)

Avoid Programs accessing more than X physical files (RPG300)

Avoid Programs accessing more than X physical files (RPG400)

Avoid Programs accessing more than X physical files (RPG_FP)

Avoid Programs declaring STATIC variables (PL1)

Avoid Programs having cursors that doesn't contain the "FOR UPDATE" clause and not containing the "FOR READ ONLY" or "FOR FETCH ONLY" clause (PL1)

Avoid Programs having files declared and not having the ON UNDF or ON UNDEFINEDFILE statement except SYSPRINT and SYSIN (PL1)

Avoid Programs having files declared as RECORD INPUT or RECORD UPDATE and not having the ON EOF or ON ENDFILE statement (PL1)

Avoid Programs having FIXED without BIN or BINARY or DEC or DECIMAL.The character "(" is mandatory. (PL1)

Avoid programs not having the property allowUnqualifiedItemReferences set to YES (EGL)

Avoid programs not having the property I4GLItemsNullable set to NO (EGL)

Avoid Programs not having the property includeReferencedFunctions set to YES (EGL)

CRITICAL  Avoid Programs not using explicitly OPEN and CLOSE files (PL1)

Avoid Programs overriding the *PROCESS statement (PL1)

Avoid providing password in Web Service URL

Avoid providing password in Web Service URL

Avoid providing password in Web Service URL

Avoid providing password in Web Service URL

Avoid Psysical Files using large buffers (DB400)

Avoid public/protected setter for the generated identifier field

Avoid public/protected setter for the generated identifier field

CRITICAL  Avoid public variables inside a custom event (Flex)

Avoid Python string interpolations to prevent SQL injections

Avoid queries using old style join convention instead of ANSI-Standard joins

Avoid raising an exception in a Web Dynpro Supply Function or in a Method called by a Supply Function

Avoid raising exceptions in unexpected location

CRITICAL  Avoid Record Column without having the same nullable requirement as the corresponding SQL Table column (EGL)

CRITICAL  Avoid Reflected Cross-site Scripting (Non Persistent)

CRITICAL  Avoid reflected cross-site scripting (PHP)

CRITICAL  Avoid reflected cross-site scripting (Python)

CRITICAL  Avoid reflection injection

CRITICAL  Avoid reflection injection through API requests

CRITICAL  Avoid Regular expression injection

CRITICAL  Avoid Regular expression injection through API requests

CRITICAL  Avoid resource injection

CRITICAL  Avoid resource injection (Python)

CRITICAL  Avoid resource injection through API requests

CRITICAL  Avoid resource URL manipulation

CRITICAL  Avoid resource URL manipulation through API requests

Avoid rethrow exception explicitly

Avoid returning null from non-async Task/Task method

Avoid returning null from ToString()

Avoid return statement in @finally block

Avoid return statement in @finally block

Avoid return statement in finally block

Avoid return statement in finally block

Avoid return statements in finally blocks (JEE)

Avoid scripts and functions using SQL static statements (Shell)

Avoid scripts and functions with SQL code in temporary files (Shell)

CRITICAL  Avoid second order code injection (PHP)

CRITICAL  Avoid second order cookie injection (PHP)

CRITICAL  Avoid second order deserialization injection

CRITICAL  Avoid second order deserialization injection (PHP)

CRITICAL  Avoid second order expression language injection

CRITICAL  Avoid second order file path manipulation (PHP)

CRITICAL  Avoid second order HTTP header injection (PHP)

CRITICAL  Avoid second order LDAP injection

CRITICAL  Avoid second order LDAP injection (PHP)

CRITICAL  Avoid second order LDAP injection (Python)

CRITICAL  Avoid second order numeric user inputs in SQL queries

CRITICAL  Avoid second order OS command injection

CRITICAL  Avoid second order OS command injection (PHP)

CRITICAL  Avoid second order PHP Remote File Inclusion

CRITICAL  Avoid second order reflection injection (PHP)

CRITICAL  Avoid second order Regular expression injection

CRITICAL  Avoid second order server-side request forgery

CRITICAL  Avoid second order server-side request forgery (PHP)

CRITICAL  Avoid second order SQL injection

CRITICAL  Avoid second order SQL injection (PHP)

CRITICAL  Avoid second order URL redirection to untrusted site

CRITICAL  Avoid second order XPath injection

CRITICAL  Avoid second order XPath injection (PHP)

CRITICAL  Avoid second order XQuery injection

CRITICAL  Avoid Sections directly access to database tables (PHP)

CRITICAL  Avoid server-side request forgery

CRITICAL  Avoid server-side request forgery (PHP)

CRITICAL  Avoid server-side request forgery (Python)

CRITICAL  Avoid server-side request forgery through API requests

Avoid Session Fixation (PHP)

Avoid setting android:grantUriPermissions as True

CRITICAL  Avoid setting a pointer to the address of a local variable defined in a lower scope

Avoid shadowing class variables

Avoid SQL injection in dynamic SQL for Oracle

CRITICAL  Avoid SQL injection (PHP)

CRITICAL  Avoid SQL injection vulnerabilities ( CWE-89 )

CRITICAL  Avoid SQL injection vulnerabilities through API requests

CRITICAL  Avoid SQL query outside try-on block (EGL)

CRITICAL  Avoid Stateful Beans not removed

Avoid static Field of type collection

Avoid static Fields that are not final

Avoid Stored Procedures not returning a status value

CRITICAL  Avoid storing Non-Serializable Object as HttpSessionState attributes.

Avoid storing passwords in Comments

Avoid storing passwords in the config files

Avoid String concatenation in loops for artifacts with high fan in

Avoid String initialization with String object (created using the 'new' keyword)

CRITICAL  Avoid string interpolations to prevent SQL injections (TypeScript)

CRITICAL  Avoid Struts 2 Action Fields without Validation

Avoid Struts 2 Validator field not referencing a java class field

Avoid Struts action Mapping with disabled validator

CRITICAL  Avoid Struts Invalidated Action Form 1.x

CRITICAL  Avoid switch statement without a default statement (Flex)

Avoid synchronizing the credentials with iCloud

Avoid synchronizing the credentials with iCloud

Avoid synchronizing the credentials with iCloud (Swift)

Avoid table and column names that are too long (portability)

CRITICAL  Avoid Tables without Primary Key

CRITICAL  Avoid test containing a hard coded boolean value. (Flex)

Avoid testing floating point numbers for equality

CRITICAL  Avoid testing floating point numbers for equality

CRITICAL  Avoid testing specific values for SY-UNAME

Avoid