Page tree
Skip to end of metadata
Go to start of metadata

Error rendering macro 'redirect'

Invalid URL: "CISQ - CWE - OWASP rules". Please provide a valid URL to redirect to.

This page presents the CISQ/OMG Quality Measurement Rules coverage at system- and technology-level for applications based on Web / JEE technology and Oracle SQL supported by CAST AIP. Web / JEE and Oracle SQL is an example of a common technology stack used in many applications. If necessary, CAST can help create an overview of CISQ coverage for other combinations of technologies.

Note that Web refers to the following technologies:

  • HTML5/Javascript
  • AngularJS
  • jQuery
  • Node.js

 

OMG CharacteristicsOMG Rule Id and NameLevelsAIP QR IdAIP QR NameDescriptionSource Techno
MaintainabilityASCMM-MNT-02: Class Element Excessive Inheritance of Class Elements with Concrete Implementation  TechnologyN/A Not possible.JEE / Web
MaintainabilityASCMM-MNT-02: Class Element Excessive Inheritance of Class Elements with Concrete Implementation  TechnologyN/A Not applicable in the context of database technologies. Relational databases don't deal with objects (and, thus, inheritance) - they deal with entities and relationships.SQL
MaintainabilityASCMM-MNT-04: Callable and Method Control Element Number of Outward CallsSystem / Technology / Unit7778Avoid Artifacts with High Fan-Out

Direct implementation of the rule.

However,for JEE, OMG mandates a default value of 5 for the fan-out threshold, and the default in AIP is 4.

JEE / SQL / Web
MaintainabilityASCMM-MNT-07: Inter-Module Dependency CyclesTechnology7292Avoid cyclical calls and inheritances between packagesDirect implementation of the rule.JEE
MaintainabilityASCMM-MNT-07: Inter-Module Dependency CyclesTechnologyN/A  Web
MaintainabilityASCMM-MNT-07: Inter-Module Dependency CyclesTechnologyN/A Not applicable in the context of database technologies. The modules are usually developed using a programming language.SQL
MaintainabilityASCMM-MNT-09: Horizontal Layer Excessive NumberSystemACArchitecture CheckerExcessive number of layers are detected when defining the architecture.JEE / Web
MaintainabilityASCMM-MNT-09: Horizontal Layer Excessive NumberSystemN/A Not applicable to DBMS technologiesSQL
MaintainabilityASCMM-MNT-10: Named Callable and Method Control Element Multi-Layer SpanSystemACArchitecture CheckerComponents that span several layers are detected when defining the architecture.JEE / Web
 MaintainabilityASCMM-MNT-10: Named Callable and Method Control Element Multi-Layer SpanSystemN/A Not applicable to DBMS technologiesSQL
MaintainabilityASCMM-MNT-12: Named Callable and Method Control Element with Layer-skipping CallSystemACArchitecture CheckerDefining the architecture with Architecture Checker and specifying the authorized links between the layers allow to pinpoint the components with layer-skipping calls.JEE / Web
MaintainabilityASCMM-MNT-12: Named Callable and Method Control Element with Layer-skipping CallSystemN/A Not applicable to DBMS technologiesSQL
MaintainabilityASCMM-MNT-17: Class Element Excessive Inheritance LevelTechnology7802Avoid Classes with a High Depth of Inheritance TreeDirect implementation of the rule.JEE
MaintainabilityASCMM-MNT-17: Class Element Excessive Inheritance LevelTechnologyN/A  Web
MaintainabilityASCMM-MNT-17: Class Element Excessive Inheritance LevelTechnologyN/A Not applicable in the context of database technologies. SQL
MaintainabilityASCMM-MNT-18: Class Element Excessive Number of ChildrenTechnology7792Avoid Classes with a High Number Of ChildrenDirect implementation of the rule.JEE / Web
MaintainabilityASCMM-MNT-18: Class Element Excessive Number of ChildrenTechnologyN/A Not applicable in the context of database technologies. SQL
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology7860Avoid unreferenced Functions

JEE: Direct implementation of the rule.

SQL: This rule lists all unreferenced functions, procedures and package functions & procedures.

JEE / SQL
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology7908Avoid unreferenced MethodsDirect implementation of the rule.JEE
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology
1020514
Avoid using Javascript undefined in AngularJS application
Partially contribute to the rule in the AngularJS context.
.
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018508
Use Angular wrapper service $document
Partially contribute to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018512Use Angular wrapper service $timeoutPartially contribute to the rule in the AngularJS contextWeb
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018516Avoid using Javascript Array typecheck in AngularJS applicationPartially contribute to the rule in the AngularJS context.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018518Avoid using Javascript Date typecheck in AngularJS applicationPartially contribute to the rule in the AngularJS context.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018520Avoid using Javascript Function typecheck in AngularJS applicationPartially contribute to the rule in the AngularJS context.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018522
Avoid using Javascript String typecheck in AngularJS application
Partially contribute to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018528Avoid using Javascript Regexp typecheck in AngularJS application
Partially contribute to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018524Avoid using Javascript Object typecheck in AngularJS application
Partially contribute to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018510
Use Angular wrapper service $window
Partially contribute to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1018530Avoid using !angular.isUndefined() and !angular.isDefined() in AngularJS application
Partially contributes to the rule in the AngularJS context.
 
Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1020040Avoid using delete with no object propertiesPartially contributes to the rule.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1020054Avoid using delete on arraysPartially contributes to the rule.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1020536Avoid using $ or jQuery, use angular.element insteadPartially contributes to the rule.Web
MaintainabilityASCMM-MNT-20: Unreachable Named Callable or Method Control ElementSystem / Technology1020538Avoid wrapping angular.element objects with jQuery or $Partially contributes to the rule.Web
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit7808Avoid Artifacts with SQL statement including subqueriesSub-queries contribute to SQL query complexity. This AIP rule checks for nested SQL queries.JEE / SQL
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit7130Avoid Artifacts with High Depth of Nested SubqueriesNested sub-queries contribute to SQL query complexity. This AIP rule checks for nested SQL queries.JEE
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020004Avoid to use querySelectorAllContributes to the ruleWeb
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020006Avoid to call a function in a termination loopPartially contributes to the ruleWeb
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020314Avoid using css() of many elements Web
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020306Always use find for Id->Child nested selectors Web
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020302Avoid using element type in jQuery Web
Performance EfficiencyASCPEM-PRF-04: Data Resource Read and Write Access Excessive ComplexitySystem / Technology / Unit1020308Always cache the returned objects in variables to be reused Web
Performance EfficiencyASCPEM-PRF-05: Data Resource Read Access Unsupported by Index ElementSystem / Technology / Unit-  JEE / Web
Performance EfficiencyASCPEM-PRF-05: Data Resource Read Access Unsupported by Index ElementSystem / Technology / Unit7902Avoid SQL queries that no index can supportDirect implementation of the rule.SQL
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7206Avoid the use of InstanceOf inside loopsOMG rule applied to the case of type checking inside loopsJEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7200Avoid String concatenation in loopsOMG rule implemented for the case of concatenation inside loopsJEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7210Avoid instantiations inside loopsOMG rule implemented for the case of Class instantiation inside a loopJEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7954Avoid indirect String concatenation inside loopsOMG rule implemented for the case of concatenation inside functions called in loopsJEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7204Avoid method invocation in a loop termination expressionOMG rule implemented for the case of method invocation in loop condition.JEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7424Avoid using SQL queries inside a loopSQL queries can be expensive in terms of resources. This AIP rule checks for queries executed inside loops.JEE / SQL
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit7962Avoid direct or indirect remote calls inside a loopOMG rule implemented for the case of EJB or SAL call inside a loopJEE
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit1020504Avoid using the call of web service with AngularJS $http inside a loopDirect implementation of the rule.Web
Performance EfficiencyASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop Block System / Technology / Unit1018534Avoid using a web service with AngularJS $resource inside a loopDirect implementation of the rule.Web
Performance Efficiency ASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop Block System / Technology / Unit 1020038Avoid defining and calling functions inside loopsDirect implementation of the rule.Web
Performance Efficiency ASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit1020014Avoid using a web service with XMLHttpRequest inside a loopDirect implementation of the rule.Web
Performance Efficiency ASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop Block System / Technology / Unit1020012Avoid using a web service with WebSocket inside a loopDirect implementation of the rule.Web
Performance Efficiency ASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit1020300Avoid using the call of web service $.ajax inside a loopDirect implementation of the rule.Web
Performance Efficiency ASCPEM-PRF-08: Control Elements Requiring Significant Resource Element within Control Flow Loop BlockSystem / Technology / Unit1020056Avoid using Javascript Document.all collection Direct implementation of the rule.Web
Performance EfficiencyASCPEM-PRF-09: Non-Stored SQL Callable Control Element with Excessive Number of Data Resource AccessTechnology / Unit7914Avoid direct access to Database TablesStrict implementation of the OMG rule: forbids use of non-stored SQL procedures in Java CodeJEE
Performance EfficiencyASCPEM-PRF-09: Non-Stored SQL Callable Control Element with Excessive Number of Data Resource AccessTechnology / Unit1020072Avoid direct access to Database Tables in Javascript Web
Performance EfficiencyASCPEM-PRF-09: Non-Stored SQL Callable Control Element with Excessive Number of Data Resource AccessTechnology / Unit-  SQL
Performance EfficiencyASCPEM-PRF-10: Non-SQL Named Callable and Method Control Element with Excessive Number of Data Resource AccessSystem8110

Use dedicated stored procedures when multiple data accesses are needed

OMG rule implemented for SQL calls in Java code. It takes into account any database access, via explicit SQL command and via stored procedure.JEE
Performance EfficiencyASCPEM-PRF-10: Non-SQL Named Callable and Method Control Element with Excessive Number of Data Resource AccessSystem-  Web /SQL
Performance EfficiencyASCPEM-PRF-11: Data Access Control Element from Outside Designated Data Manager ComponentSystem / TechnologyACArchitecture CheckerDefining the architecture with Architecture Checker and specifying the authorized links between the layers allow to pinpoint the components with layer-skipping calls.JEE / Web
Performance EfficiencyASCPEM-PRF-11: Data Access Control Element from Outside Designated Data Manager ComponentSystem / TechnologyN/A Not applicable to DBMS technologiesSQL
Performance EfficiencyASCPEM-PRF-12: Storable and Member Data Element Excessive Number of Aggregated Storable and Member Data ElementsTechnology / Unit7424Avoid using SQL queries inside a loopSQL queries can be expensive in terms of resources. This AIP rule checks for queries executed inside loops.JEE
Performance EfficiencyASCPEM-PRF-12: Storable and Member Data Element Excessive Number of Aggregated Storable and Member Data ElementsTechnology / Unit-  Web
Performance EfficiencyASCPEM-PRF-12: Storable and Member Data Element Excessive Number of Aggregated Storable and Member Data ElementsTechnology / UnitN/A Not applicable in the context of database technologies.SQL
Performance EfficiencyASCPEM-PRF-14: Storable and Member Data Element Memory Allocation Missing De-Allocation Control ElementTechnology / UnitN/A Not applicable in the Java context, where memory is fully managed.JEE / SQL
Performance EfficiencyASCPEM-PRF-14: Storable and Member Data Element Memory Allocation Missing De-Allocation Control ElementTechnology / Unit-  Web
Performance EfficiencyASCPEM-PRF-15: Storable and Member Data Element Reference Missing De-Referencing Control ElementTechnology / Unit7562Avoid static Field of type collectionOMG rule implemented for static collection variables, which are storage structures with potentially increasing memory, and are created from the lifetime of the application without the possibility of being dereferenced.JEE
Performance EfficiencyASCPEM-PRF-15: Storable and Member Data Element Reference Missing De-Referencing Control ElementTechnology / Unit-  Web
Performance EfficiencyASCPEM-PRF-15: Storable and Member Data Element Reference Missing De-Referencing Control ElementTechnology / UnitN/A Not applicable in the context of database technologies.SQL
ReliabilityASCRM-CWE-120: Buffer Copy without Checking Size of InputTechnology / Unit-  JEE / SQL
ReliabilityASCRM-CWE-120: Buffer Copy without Checking Size of InputTechnology / UnitN/A Javascript is a dynamic languageWeb
ReliabilityASCRM-CWE-252-data: Unchecked Return Parameter Value of named Callable and Method Control Element with Read, Write, and Manage Access to Data ResourceSystem / Technology / Unit8112Avoid improper processing of the execution status of data handling operationImplementation of the OMG rule in the Java context, by checking proper handling of exceptions triggers durting data access operationsJEE
ReliabilityASCRM-CWE-252-data: Unchecked Return Parameter Value of named Callable and Method Control Element with Read, Write, and Manage Access to Data ResourceSystem / Technology / Unit-  SQL
ReliabilityASCRM-CWE-252-data: Unchecked Return Parameter Value of named Callable and Method Control Element with Read, Write, and Manage Access to Data ResourceSystem / Technology / Unit1020502Avoid the use of JSON.parse and JSON.stringify in AngularJS web appUsing the official AngularJS function will check the returned parameter value and will contribute to the coverage of the CISQ rule.Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit-  JEE / SQL
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit1020522Avoid using Javascript String typecheck in AngularJS applicationPartially contributes to the rule.Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or Cast Technology / Unit 1020528Avoid using Javascript Regexp typecheck in AngularJS applicationPartially contributes to the rule.Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or Cast Technology / Unit1020524Avoid using Javascript Object typecheck in AngularJS applicationPartially contributes to the rule.Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit 1020526Avoid using Javascript Number typecheck in AngularJS applicationPartially contributes to the rule.Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit 1020520Avoid using Javascript Function typecheck in AngularJS application Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit 1020518Avoid using Javascript Date typecheck in AngularJS application Web
ReliabilityASCRM-CWE-704: Incorrect Type Conversion or CastTechnology / Unit 1020516Avoid using Javascript Array typecheck in AngularJS application Web
ReliabilityASCRM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit8108Close the outermost stream ASAPOMG rule implemented in the case of Java streamsJEE
ReliabilityASCRM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit8104Close database resources ASAPOMG rule implemented for Java DB accesses (JDBC, JPA and Hibernate)JEE
ReliabilityASCRM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit1020730Ensure Node.js filesystem are closed  Web
ReliabilityASCRM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit-  SQL
ReliabilityASCRM-CWE-788: Memory Location Access After End of BufferTechnology / UnitN/A In Java, out of bound access is detected by the language, and will throw an exceptionJEE / SQL
ReliabilityASCRM-CWE-788: Memory Location Access After End of BufferTechnology / UnitN/A Javascript is a dynamic languageWeb
ReliabilityASCRM-RLB-02: Serializable  Storable Data Element without Serialization Control ElementTechnology / Unit- Not applicable in the context of database technologies.JEE / Web / SQL
ReliabilityASCRM-RLB-03: Serializable Storable Data Element with non-Serializable Item ElementsTechnology / Unit7650All types of a serializable Class must be serializableDirect implementation of the rule.JEE
ReliabilityASCRM-RLB-03: Serializable Storable Data Element with non-Serializable Item ElementsTechnology / UnitN/A Not applicable in the context of database technologies. SQL
ReliabilityASCRM-RLB-03: Serializable Storable Data Element with non-Serializable Item ElementsTechnology / Unit-  Web
ReliabilityASCRM-RLB-04: Persistant  Storable Data Element without Proper Comparison Control ElementTechnology / Unit7504Persistent classes should Implement hashCode() and equals()OMG rule implemented in the case of Hibernate persistence.JEE
ReliabilityASCRM-RLB-04: Persistant  Storable Data Element without Proper Comparison Control ElementTechnology / UnitN/A Not applicable in the context of database technologies.SQL
ReliabilityASCRM-RLB-04: Persistant  Storable Data Element without Proper Comparison Control ElementTechnology / Unit-  Web
ReliabilityASCRM-RLB-05: Runtime Resource Management Control Element in a Component Built to Run on Application ServersTechnology / Unit7728Avoid thread creation for application running on application serverOMG rule implemented for forbidding thread creationsJEE
ReliabilityASCRM-RLB-05: Runtime Resource Management Control Element in a Component Built to Run on Application ServersTechnology / UnitN/A Not applicable in the context of database technologies.SQL
ReliabilityASCRM-RLB-05: Runtime Resource Management Control Element in a Component Built to Run on Application ServersTechnology / Unit-  Web
ReliabilityASCRM-RLB-10: Data Access Control Element from Outside Designated Data Manager ComponentSystem / TechnologyACArchitecture CheckerDefining the architecture with Architecture Checker and specifying the authorized links between the layers allow to pinpoint the components with layer-skipping calls.JEE / Web
ReliabilityASCRM-RLB-10: Data Access Control Element from Outside Designated Data Manager ComponentSystem / TechnologyN/A Not applicable to DBMS technologiesSQL
ReliabilityASCRM-RLB-11: Named Callable and Method Control Element in Multi-Thread Context with non-Final Static Storable or Member Element Technology7154Avoid Fields in Action Classes that are not final staticOMG rule implemented in the case of multi-threading implemented using Struts actions.JEE
ReliabilityASCRM-RLB-11: Named Callable and Method Control Element in Multi-Thread Context with non-Final Static Storable or Member Element TechnologyN/A Not applicable in the context of database technologies.SQL
ReliabilityASCRM-RLB-11: Named Callable and Method Control Element in Multi-Thread Context with non-Final Static Storable or Member Element Technology-  Web
ReliabilityASCRM-RLB-13: Inter-Module Dependency CyclesTechnology7292Avoid cyclical calls and inheritances between packagesDirect implementation of the rule.JEE
ReliabilityASCRM-RLB-13: Inter-Module Dependency CyclesTechnologyN/A Not applicable in the context of database technologies. SQL
ReliabilityASCRM-RLB-13: Inter-Module Dependency CyclesTechnology-  Web
ReliabilityASCRM-RLB-14: Parent Class Element with References to Child Class ElementTechnology7934Avoid Superclass (or Interface) knowing Subclass (or Interface)Direct implementation of the rule.JEE
ReliabilityASCRM-RLB-14: Parent Class Element with References to Child Class ElementTechnologyN/A Not applicable in the context of database technologies. SQL
ReliabilityASCRM-RLB-14: Parent Class Element with References to Child Class ElementTechnology1020064Avoid Superclass knowing Subclass in Javascript Web
Security

ASCSM-CWE-22: Path Traversal Improper Input Neutralization

System / Technology7752Avoid file path manipulation vulnerabilities ( CWE-73 )Direct implementation of the rule.JEE
SecurityASCSM-CWE-22: Path Traversal Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-22: Path Traversal Improper Input NeutralizationSystem / Technology-  Web
SecurityASCSM-CWE-78: OS Command Injection Improper Input NeutralizationSystem / Technology7748Avoid OS command injection vulnerabilities ( CWE-78 )Direct implementation of the rule.JEE
SecurityASCSM-CWE-78: OS Command Injection Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-78: OS Command Injection Improper Input NeutralizationSystem / Technology1020058Avoid using eval() Web
SecurityASCSM-CWE-78: OS Command Injection Improper Input NeutralizationSystem / Technology1020078Avoid using setTimeout() Web
SecurityASCSM-CWE-78: OS Command Injection Improper Input NeutralizationSystem / Technology1020080Avoid using setInterval() Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology7740Avoid cross-site scripting DOM vulnerabilities ( CWE-79 )Direct implementation of the rule.JEE
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020030Avoid using javascript or expression in the CSS file Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020022Avoid using submitted markup containing "form" and "formaction" attributes Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020024Avoid "id" attributes for forms as well as submit Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020026Avoid using autofocus and onfocus in submitted markup Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020028Avoid using autofocus and onblur in submitted markup Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020032Avoid using video poster attributes in combination with javascript Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020034Avoid hosting HTML code in iframe srcdoc Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020042Avoid having iframe inside a tag Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020044Avoid using setData in ondragstart with attribute draggable set to true. Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020048Avoid using source tag in video/audio with event handler Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020046Avoid using oninput in body containing input autofocus Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020050Avoid white-listing the "dirname" attribute in user generated content Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020052Avoid using import with external URI Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020074Avoid enabling autocomplete "on" for inputs/forms  Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020542Enable Content Security Policy when creating an AngularJS application Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020544Avoid disabling Strict Contextual Escaping (SCE) when created. Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020546Avoid using unsanitized AngularJS application Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020548Avoid disabling withCredentials option for the httpProvider Web
SecurityASCSM-CWE-79: Cross-site Scripting Improper Input NeutralizationSystem / Technology1020718Ensure that browser cannot cache or store a page Web
SecurityASCSM-CWE-89: SQL Injection Improper Input NeutralizationSystem / Technology7742Avoid SQL injection vulnerabilities ( CWE-89 )Direct implementation of the rule.JEE
SecurityASCSM-CWE-89: SQL Injection Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-89: SQL Injection Improper Input NeutralizationSystem / Technology-  Web
SecurityASCSM-CWE-99: Name or Reference Resolution Improper Input NeutralizationSystem / Technology / Unit7732Avoid non validated inputsChecks inputs validation in the JSP contextJEE
SecurityASCSM-CWE-99: Name or Reference Resolution Improper Input NeutralizationSystem / Technology / UnitN/A Not applicable in the context of database technologies.SQL
SecurityASCSM-CWE-99: Name or Reference Resolution Improper Input NeutralizationSystem / Technology / Unit-  Web
SecurityASCSM-CWE-120: Buffer Copy without Checking Size of InputTechnology / Unit-  JEE / SQL
SecurityASCSM-CWE-120: Buffer Copy without Checking Size of InputTechnology / UnitN/A Javascript is a dynamic languageWeb
SecurityASCSM-CWE-129: Array Index Improper Input NeutralizationSystem / Technology- 

Not applicable in the context of database technologies.

 

JEE / SQL
SecurityASCSM-CWE-129: Array Index Improper Input NeutralizationSystem / TechnologyN/A  Web
SecurityASCSM-CWE-134: Format String Improper Input NeutralizationSystem / Technology8098Avoid uncontrolled format string (CWE-134)Direct implementation of the rule.JEE
SecurityASCSM-CWE-134: Format String Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-134: Format String Improper Input NeutralizationSystem / Technology-  Web
SecurityASCSM-CWE-434: File Upload Improper Input NeutralizationSystem / Technology7752Avoid file path manipulation vulnerabilities ( CWE-73 )Direct implementation of the rule.JEE
8218CWE-434: Content type should be checked when receiving a HTTP PostDirect implementation of the rule.JEE
SecurityASCSM-CWE-434: File Upload Improper Input NeutralizationSystem / TechnologyN/A Not applicable in the context of database technologies. SQL
SecurityASCSM-CWE-434: File Upload Improper Input NeutralizationSystem / Technology-  Web
SecurityASCSM-CWE-606: Unchecked Input for Loop ConditionSystem / Technology-  JEE / Web / SQL
SecurityASCSM-CWE-667: Shared Resource Improper LockingTechnology-  JEE / Web / SQL
SecurityASCSM-CWE-672: Expired or Released Resource UsageTechnology / Unit8214CWE-672: Expired or Released Resource should not be used JEE
SecurityASCSM-CWE-672: Expired or Released Resource UsageTechnology / Unit-  Web / SQL
SecurityASCSM-CWE-681: Numeric Types Incorrect ConversionTechnology / Unit8216CWE-681: Avoid numerical data corruption during incompatible mutation JEE
SecurityASCSM-CWE-681: Numeric Types Incorrect ConversionTechnology / UnitN/A  Web / SQL
SecurityASCSM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit8108Close the outermost stream ASAPOMG rule implemented in the case of Java streamsJEE
SecurityASCSM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit8104Close database resources ASAP OMG rule implemented for Java DB accesses (JDBC, JPA and Hibernate)JEE
SecurityASCSM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit1020730Ensure Node.js filesystem are closed  Web
SecurityASCSM-CWE-772: Missing Release of Resource after Effective LifetimeTechnology / Unit-  SQL
SecurityASCSM-CWE-789: Uncontrolled Memory AllocationSystem / Technology-  JEE / SQL
SecurityASCSM-CWE-789: Uncontrolled Memory AllocationSystem / TechnologyN/A Javascript is a dynamic languageWeb
SecurityASCSM-CWE-798: Hard-Coded Credentials Usage for Remote AuthenticationTechnology / Unit8222CWE-798 : Use of Hard-coded Credentials JEE
SecurityASCSM-CWE-798: Hard-Coded Credentials Usage for Remote AuthenticationTechnology / Unit-  Web / SQL
SecurityASCSM-CWE-835: Loop with Unreachable Exit Condition (Infinite Loop)Technology / Unit7388Avoid artifacts having recursive callsDirect implementation of the rule.JEE
SecurityASCSM-CWE-835: Loop with Unreachable Exit Condition (Infinite Loop)Technology / Unit-  SQL
SecurityASCSM-CWE-835: Loop with Unreachable Exit Condition (Infinite Loop)Technology / Unit1020500Avoid the use of the default JavaScript implementation [].forEach in AngularJS web appUsing the official AngularJS function will check the loop exit condition value and will contribute to the coverage of the CISQ rule.Web

Unit-level CISQ/OMG Quality Measurement Rules for a Web / JEE and Oracle SQL application can be found here: CISQ/OMG Automated Source Code Measurement Standards Coverage for a Web / JEE and Oracle SQL application - Unit-level

  • No labels