-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Setting expectations, what is the source of truth for CWEs I can expect codeQL to find? #17364
-
Hi
Is this list below the one I should look at for supported CWEs per language? Can I expect relevant CWE-s for the specific language to be found (in case of a matching issue)? is there somewhere else I should be looking at?
https://codeql.github.com/codeql-query-help/full-cwe/
I am mostly asking after testing a few things with "WebGoat" and not seeing issues that should have been found according to the above table.
Thank you.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment
-
Hi
Yes, I believe that is the list of CWEs that we currently support. Note that some CWEs are extremely broad in scope, for example CWE-200, where sensitive information can mean a lot of different things, so claiming full support is virtually impossible.
Out of interest, which results were you missing on WebGoat?
Beta Was this translation helpful? Give feedback.