#javascript
Rulesets (37)

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

Rules from the preeminent Node.js security scanner, NodeJSScan.

Default ruleset for JavaScript, curated by r2c.

Most common clientside JavaScript XSS vulnerabilities

Default ruleset for TypeScript, curated by r2c.

Cross-site scripting (XSS) secure defaults for Express.js

Rule pack for detecting insecure transport in node js

Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.

A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.

Secure defaults for XSS prevention

Find common bugs, errors, and logic issues in popular languages.

Ensure your code communicates over encrypted channels instead of plaintext.

Rules for detecting secrets checked into version control

Ruleset accompanying r2c OWASP presentation.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.

Rule pack for detecting insecure transport in node js

Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).

Omni pack for insecure transport rules

electron desktop app

Default ruleset for Express.js, written by r2c.
eslint rules in Gitlab SAST, written by Gitlab, ajinabraham, and r2c

Insecure usage of most popular headless browser APIs

Ensure your code communicates over encrypted channels instead of plaintext.

Secure defaults for Command injection prevention
A ruleset of javascript and typescript rules made for OWASP Juice Shop.

Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.

SQL injection guardrails. Checks for non-constant SQL queries and other SQLi.

Default ruleset for Node.js, curated by r2c.

Ruleset for OWASP SF
Rules (482)
Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
Experimental features are not expected to be in production ready applications.
Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
Disabling context isolation can introduce Prototype Pollution vulnerabilities.
User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.

This application has anti CSRF protection which prevents cross site request forgery attacks.

Content Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/

X-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/

Expect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/

Feature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/

X-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/

X-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/

Default X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/

HSTS header is present. More information: https://helmetjs.github.io/docs/hsts/

X-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/

Content-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/

Referrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/

X-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/

This application has API rate limiting controls.
Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
Detected eval(variable), which could allow a malicious actor to run arbitrary code.
Detected non-literal calls to child_process.exec(). This could lead to a command injection vulnerability.
Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files.
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.
Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.
Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.

Make sure that unverified user data can not reach vm.runInContext.

Make sure that unverified user data can not reach `vm2`.

Make sure that unverified user data can not reach `vm2`.

Make sure that unverified user data can not reach vm.runInNewContext.

Make sure that unverified user data can not reach vm.compileFunction.

Make sure that unverified user data can not reach vm instance.

Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.

Unrusted data in `sandbox` can result in code injection.

Untrusted user input in `vm.runInNewContext()` can result in code injection.

Untrusted user input reaching `vm2` can result in code injection.

Untrusted user input in `vm.compileFunction()` can result in code injection.

Untrusted user input reaching `vm` can result in code injection.

Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.

Untrusted user input reaching `vm2` sandbox can result in context injection.

Untrusted user input in `vm.runInContext()` can result in code injection.

Content-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/

Referrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/

X-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/

This application has API rate limiting controls.

Disabling context isolation can introduce Prototype Pollution vulnerabilities.

Experimental features are not expected to be in production ready applications.

Untrusted input concatinated with raw SQL query can result in SQL Injection.

Feature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/

X-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/

X-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/

Default X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/

HSTS header is present. More information: https://helmetjs.github.io/docs/hsts/

X-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/

A hardcoded secret is identified. Store it properly in an environment variable.

Error messages with stack traces can expose sensitive information about the application.

Error messages with stack traces may expose sensitive information about the application.

Blink's experimental features are enabled in this application. Some of the features may affect the security of the application.

MD5 is a a weak hash which is known to have collision. Use a strong hashing function.

SHA1 is a a weak hash which is known to have collision. Use a strong hashing function.

AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.

AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.

A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.

String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.

User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.

Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.

String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

Untrusted user input in `require()` function allows an attacker to load arbitrary code.

Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).

Unrusted data in `sandbox` can result in code injection.

Untrusted user input reaching `vm2` can result in code injection.

Error messages with stack traces can expose sensitive information about the application.

Error messages with stack traces may expose sensitive information about the application.

Hardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.

A hardcoded password in plain text is identified. Store it properly in an environment variable.

A hardcoded username in plain text is identified. Store it properly in an environment variable.

A hardcoded API Key is identified. Store it properly in an environment variable.

A hardcoded secret is identified. Store it properly in an environment variable.

User controlled data is used for application business logic decision making. This expose protected data or functionality.

Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.

Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

One or more Security Response header is explicitly disabled in Helmet.

Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.

Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.

Hardcoded JWT secret or private key was found. Store it properly in an environment variable.

Hardcoded JWT secret was found. Store it properly in an environment variable.

Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.

No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).

If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).

User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).

Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used.

Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.

Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.

User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities

Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.

The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.

The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.

Untrusted input concatinated with raw SQL query can result in SQL Injection.

Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.

Layer7 Denial of Service. Looping over user controlled objects can result in DoS.

User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection

User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.

User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.

The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

Untrusted user input in redirect() can result in Open Redirect vulnerability.

Untrusted user input in response header('Location') can result in Open Redirect vulnerability.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.

Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.

Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.

User controlled data in xpath.parse() can result in XPATH injection vulnerability.

Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.

Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

This application has anti CSRF protection which prevents cross site request forgery attacks.

Content Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/

X-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/

Expect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/

SSL Certificate verification for node-curl is disabled.

Untrusted user input in findOne() function can result in NoSQL Injection.

Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.

Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).

Hardcoded JWT secret or private key was found. Store it properly in an environment variable.

Hardcoded JWT secret was found. Store it properly in an environment variable.

User controlled data is used for application business logic decision making. This expose protected data or functionality.

POST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.

User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.

Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.

Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.

Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.

Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).

Disabling context isolation can introduce Prototype Pollution vulnerabilities.

Experimental features are not expected to be in production ready applications.

Untrusted user input reaching `vm2` sandbox can result in context injection.

Untrusted user input in `vm.runInContext()` can result in code injection.

Untrusted user input in `vm.runInNewContext()` can result in code injection.

Untrusted user input in `vm.compileFunction()` can result in code injection.

Untrusted user input reaching `vm` can result in code injection.

User controlled data in 'yaml.load()' function can result in Remote Code Injection.

Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.

Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.

Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.

Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.

Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.

Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

MD5 is a a weak hash which is known to have collision. Use a strong hashing function.

SHA1 is a a weak hash which is known to have collision. Use a strong hashing function.

AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.

Untrusted user input in `require()` function allows an attacker to load arbitrary code.

User controlled data in 'yaml.load()' function can result in Remote Code Injection.

User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.

User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.

POST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.

Hardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.

A hardcoded password in plain text is identified. Store it properly in an environment variable.

A hardcoded API Key is identified. Store it properly in an environment variable.

Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.

Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.

Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.

Default session middleware settings: `httpOnly` not set. It ensures the sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.

Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.

Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.

Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

One or more Security Response header is explicitly disabled in Helmet.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.

Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.

The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.

Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.

No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.

Layer7 Denial of Service. Looping over user controlled objects can result in DoS.

Untrusted user input in findOne() function can result in NoSQL Injection.

Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.

Untrusted user input in redirect() can result in Open Redirect vulnerability.

Untrusted user input in response header('Location') can result in Open Redirect vulnerability.

Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).

If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

SSL Certificate verification for node-curl is disabled.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).

User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).

Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.

User controlled data in xpath.parse() can result in XPATH injection vulnerability.

Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilities.

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities

Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

Untrusted user input in rendering reactHTMLParser can lead to an XSS

If the $translateSanitization.useStrategy is set to null or blank this can be dangerous.

`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.

found alert() call; should this be in production code?

found debugger call; should this be in production code?

found prompt() call; should this be in production code?

Creating and using a large number of zlib objects simultaneously can cause significant memory fragmentation. It is strongly recommended that the results of compression operations be cached or made synchronous to avoid duplication of effort.

`$X` is assigned twice; the first assignment is useless

Detected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.

Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.

A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.

A hardcoded username in plain text is identified. Store it properly in an environment variable.

Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.

By declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior.

findDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction.

Legacy component lifecycle was detected - $METHOD.

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

The string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.

User controlled data was found to enter a dynamic execution of JavaScript. This can lead to Remote Code Injection. Where possible do not dynamically execute user-input in functions such as eval(...).

found confirm() call; should this be in production code?

TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.

Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Upgrade to Semgrep Team Tier to see this rule. Visit https://semgrep.dev/pricing to learn how to upgrade.

Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.

Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`

User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.

Possibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.

This rule is deprecated.

Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.

It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.

Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.

Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, used parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`

Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

This template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).

If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.

Use of $window.location.href can lead to open-redirect if user input is used for redirection.

$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.

The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.

The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.

The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.