hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Update CWE tags and severity score of code injection query

Browse Source 
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
This commit is contained in:
Asger Feldthaus
2021-10-05 08:50:32 +02:00
parent c4e8af983a
commit 3a20ca96c4
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -4,11 +4,12 @@
* code execution.
* @kind path-problem
* @problem.severity error
* @security-severity 6.1
* @security-severity 9.3
* @precision high
* @id js/code-injection
* @tags security
* external/cwe/cwe-094
* external/cwe/cwe-095
* external/cwe/cwe-079
* external/cwe/cwe-116
*/