Skip to main content

Kotlin Scan rules

 

Contrast Scan supports these rules for Kotlin.

Severity

Contrast rule

Engine rule ID

Description

Critical 

Insecure SSL 

OPT.KOTLIN.SEC.InsecureSSL 

InsecureSSL: Insecure SSL configuration 

Critical 

Too Much Origins Allowed 

OPT.KOTLIN.SEC.TooMuchOriginsAllowed 

TooMuchOriginsAllowedRule: CORS policy (Cross-origin resource sharing) too broad 

Critical 

Dynamically Loading Code 

OPT.KOTLIN.ANDROID.DynamicallyLoadingCode 

DynamicallyLoadingCode: Discourage dynamically loading code 

Critical 

Intent Manipulation 

OPT.KOTLIN.ANDROID.IntentManipulation 

IntentManipulation: Intent Manipulation 

Critical 

Javascript Enabled 

OPT.KOTLIN.ANDROID.JavascriptEnabled 

JavascriptEnabled: Enabling JavaScript is not recommended 

Critical 

Javascript Interface Annotation 

OPT.KOTLIN.ANDROID.JavascriptInterfaceAnnotation 

JavascriptInterfaceAnnotation: Potential code injection via WebView.addJavaScriptInterface() 

Critical 

Code Injection 

OPT.KOTLIN.SEC.CodeInjection 

CodeInjectionRule: Dynamic code injection in scripting API 

Critical 

Command Injection 

OPT.KOTLIN.SEC.CommandInjection 

CommandInjectionRule: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 

Critical 

Connection String Parameter Pollution 

OPT.KOTLIN.SEC.ConnectionStringParameterPollution 

ConnectionStringParameterPollution: Connection string polluted with untrusted input 

Critical 

Cross Site Scripting 

OPT.KOTLIN.SEC.CrossSiteScripting 

CrossSiteScriptingRule: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 

Critical 

Http Splitting 

OPT.KOTLIN.SEC.HttpSplitting 

HttpSplittingRule: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') 

Critical 

Ldap Injection 

OPT.KOTLIN.SEC.LdapInjection 

LdapInjectionRule: Avoid non-neutralized user-controlled input in LDAP search filters 

Critical 

Mail Command Injection 

OPT.KOTLIN.SEC.MailCommandInjection 

MailCommandInjection: Mail Command Injection 

Critical 

No SQL Injection 

OPT.KOTLIN.SEC.NoSQLInjection 

NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) 

Critical 

Process Control 

OPT.KOTLIN.SEC.ProcessControl 

ProcessControlRule: Library loaded from untrusted source 

Critical 

Regex Injection 

OPT.KOTLIN.SEC.RegexInjection 

RegexInjectionRule: Prevent denial of service attack through malicious regular expression ('Regex Injection') 

Critical 

Same Origin Method Execution 

OPT.KOTLIN.SEC.SameOriginMethodExecution 

SameOriginMethodExecution: Same Origin Method Execution (SOME) 

Critical 

Server Side Request Forgery 

OPT.KOTLIN.SEC.ServerSideRequestForgery 

ServerSideRequestForgeryRule: Server-Side Request Forgery (SSRF) 

Critical 

SQL Injection 

OPT.KOTLIN.SEC.SqlInjection 

SqlInjectionRule: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 

Critical 

Xml Entity Injection 

OPT.KOTLIN.SEC.XmlEntityInjection 

XmlEntityInjectionRule: XML entity injection 

Critical 

Privilege Escalation Attack 

OPT.KOTLIN.ANDROID.PrivilegeEscalationAttack 

PrivilegeEscalationAttack: Don't allow applications to execute code using other applications privileges 

Critical 

Garbage Collector Call 

OPT.KOTLIN.GarbageCollectorCall 

GarbageCollectorCall: Avoid invoking the garbage collector 

Critical 

Accessibility Subversion 

OPT.KOTLIN.SEC.AccessibilitySubversion 

AccessibilitySubversionRule: Java access restriction subverted (Reflection) 

Critical 

Anonymous Ldap Bind 

OPT.KOTLIN.SEC.AnonymousLdapBind 

AnonymousLdapBindRule: Access Control - Anonymous LDAP Bind 

Critical 

Native Code Exposed 

OPT.KOTLIN.SEC.NativeCodeExposed 

NativeCodeExposed: Native Code Exposed. 

Critical 

Path Traversal 

OPT.KOTLIN.SEC.PathTraversal 

PathTraversalRule: Avoid non-neutralized user-controlled input composed in a pathname to a resource 

Critical 

Android Sticky Broadcast 

OPT.KOTLIN.ANDROID.AndroidStickyBroadcast 

AndroidStickyBroadcast: Avoid Sticky Broadcasts 

Critical 

SMS Monitoring 

OPT.KOTLIN.ANDROID.SMSMonitoring 

SMSMonitoring: Don't use SMS for data input or command 

Critical 

Password In Redirect 

OPT.KOTLIN.SEC.PasswordInRedirect 

PasswordInRedirect: Password Management - Password in Redirect 

Critical 

Hardcoded Crypto Key 

OPT.KOTLIN.SEC.HardcodedCryptoKey 

HardcodedCryptoKey: Hardcoded cryptographic keys 

Critical 

Non Random IV With CBC Mode 

OPT.KOTLIN.SEC.NonRandomIVWithCBCMode 

NonRandomIVWithCBCMode: Not using a Random IV with CBC Mode 

Critical 

Weak Cryptographic Hash 

OPT.KOTLIN.SEC.WeakCryptographicHash 

WeakCryptographicHashRule: Weak cryptographic hash 

Critical 

Weak Encryption 

OPT.KOTLIN.SEC.WeakEncryption 

WeakEncryptionRule: Weak symmetric encryption algorithm 

High 

Prevent Backup Vulnerability 

OPT.KOTLIN.ANDROID.PreventBackupVulnerability 

PreventBackupVulnerability: Inadecuate backup configuration 

High 

Insufficient Session Expiration 

OPT.KOTLIN.SEC.InsufficientSessionExpiration 

InsufficientSessionExpirationRule: Checks that session expiration interval is positive and does not exceed a limit 

High 

Web Xml Security Misconfigurations 

OPT.KOTLIN.SEC.WebXmlSecurityMisconfigurations 

WebXmlSecurityMisconfigurationsRule: Avoid misconfiguring security properties in web.xml descriptor 

High 

Cross Site Request Forgery 

OPT.KOTLIN.SEC.CrossSiteRequestForgery 

CrossSiteRequestForgeryRule: Cross-site request forgery (CSRF) 

High 

External Control Of Configuration Setting 

OPT.KOTLIN.SEC.ExternalControlOfConfigurationSetting 

ExternalControlOfConfigurationSetting: External Control of System or Configuration Setting 

High 

Http Parameter Pollution 

OPT.KOTLIN.SEC.HttpParameterPollution 

HttpParameterPollutionRule: HTTP parameter pollution (HPP) 

High 

JSON Injection 

OPT.KOTLIN.SEC.JSONInjection 

JSONInjection: Avoid using non-neutralized user-controlled input into JSON entities - JSON Injection 

High 

Log Forging 

OPT.KOTLIN.SEC.LogForging 

LogForging: Improper Output Neutralization for Logs 

High 

Open Redirect 

OPT.KOTLIN.SEC.OpenRedirect 

OpenRedirectRule: URL Redirection to Untrusted Site ('Open Redirect') 

High 

Resource Injection 

OPT.KOTLIN.SEC.ResourceInjection 

ResourceInjection: Improper control of resource identifiers ("Resource Injection") 

High 

Trust Boundary Violation 

OPT.KOTLIN.SEC.TrustBoundaryViolation 

TrustBoundaryViolationRule: Trust boundary violation 

High 

Unsafe Reflection 

OPT.KOTLIN.SEC.UnsafeReflection 

UnsafeReflection: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 

High 

XPath Injection 

OPT.KOTLIN.SEC.XPathInjection 

XPathInjectionRule: Improper Neutralization of Data within XPath Expressions ('XPath Injection') 

High 

Xslt Injection 

OPT.KOTLIN.SEC.XsltInjection 

XsltInjection: XML Injection (aka Blind XPath Injection) 

High 

Iterator Has Next Calls Next 

OPT.KOTLIN.IteratorHasNextCallsNext 

IteratorHasNextCallsNext: Iterator hasNext() calls next(). 

High 

Cookies In Security Decision 

OPT.KOTLIN.SEC.CookiesInSecurityDecision 

CookiesInSecurityDecision: Reliance on Cookies without Validation and Integrity Checking in a Security Decision 

High 

Security Check In Overridable Method 

OPT.KOTLIN.SEC.SecurityCheckInOverridableMethod 

SecurityCheckInOverridableMethodRule: Methods that perform a security check must be declared private or final 

High 

Spring No Anti Xss Configuration 

OPT.KOTLIN.SEC.SpringNoAntiXssConfiguration 

SpringNoAntiXssConfiguration: Use defaultHtmlEscape {'OWASP-2021': ['A5'], 'WASC': ['08'], 'PCI-DSS': ['6.5.7'], 'ASVS-v4.0.2': ['3.4.5']}

High 

Unhandled SSL Exception 

OPT.KOTLIN.SEC.UnhandledSSLException 

UnhandledSSLExceptionRule: Unhandled SSL exception 

High 

User Controlled SQL Primary Key 

OPT.KOTLIN.SEC.UserControlledSQLPrimaryKey 

UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query 

High 

Unpaired Equals Hash Code 

OPT.KOTLIN.UnpairedEqualsHashCode 

UnpairedEqualsHashCode: Object Model Violation: Just one of equals and hashcode defined. 

High 

Wrong Equals Signature 

OPT.KOTLIN.WrongEqualsSignature 

WrongEqualsSignature: Wrong equals() signature. 

High 

Hardcoded Ip 

OPT.KOTLIN.SEC.HardcodedIp 

HardcodedIp: Do not write IP address in source code 

High 

Hardcoded Salt 

OPT.KOTLIN.SEC.HardcodedSalt 

HardcodedSaltRule: A hardcoded salt can compromise system security 

High 

Inadequate Padding 

OPT.KOTLIN.SEC.InadequatePadding 

InadequatePaddingRule: Inadequate padding 

High 

Insecure Randomness 

OPT.KOTLIN.SEC.InsecureRandomness 

InsecureRandomnessRule: Standard pseudo-random number generators cannot withstand cryptographic attacks 

High 

Insecure Transport 

OPT.KOTLIN.SEC.InsecureTransport 

InsecureTransport: Insecure transport 

High 

Insufficient Key Size 

OPT.KOTLIN.SEC.InsufficientKeySize 

InsufficientKeySizeRule: Weak cryptography, insufficient key length 

Low 

Bad Exception Handling 

OPT.KOTLIN.BadExceptionHandling 

BadExceptionHandling: Bad exception handling. 

Low 

Complex Condition 

OPT.KOTLIN.ComplexCondition 

ComplexCondition: Too complex boolean condition. 

Low 

Complex Function 

OPT.KOTLIN.ComplexFunction 

ComplexFunction: Too complex function. 

Low 

Empty Function 

OPT.KOTLIN.EmptyFunction 

EmptyFunction: Empty function. 

Low 

Generic Array Of Primitives 

OPT.KOTLIN.GenericArrayOfPrimitives 

GenericArrayOfPrimitives: Generic Array of primitive type. 

Low 

Long Function 

OPT.KOTLIN.LongFunction 

LongFunction: Long function. 

Low 

Spread Operator 

OPT.KOTLIN.SpreadOperator 

SpreadOperator: Use of spread (*) operator. 

Low 

Too Many Parameters 

OPT.KOTLIN.TooManyParameters 

TooManyParameters: Too many parameters in function. 

Low 

Unsafe Cast 

OPT.KOTLIN.UnsafeCast 

UnsafeCast: Unsafe cast. 

Low 

Unused Function Parameter 

OPT.KOTLIN.UnusedFunctionParameter 

UnusedFunctionParameter: Unused function parameter. 

Medium 

Plaintext Storage In A Cookie 

OPT.KOTLIN.SEC.PlaintextStorageInACookie 

PlaintextStorageInACookieRule: Cleartext Storage of Sensitive Information in a Cookie 

Medium 

Unsafe Cookie 

OPT.KOTLIN.SEC.UnsafeCookie 

UnsafeCookie: Generate server-side cookies with adequate security properties 

Medium 

Exported Preference Activity 

OPT.KOTLIN.ANDROID.ExportedPreferenceActivity 

ExportedPreferenceActivity: Activities extending PreferenceActivity should not be exported 

Medium 

Avoid Host Name Checks 

OPT.KOTLIN.SEC.AvoidHostNameChecks 

AvoidHostNameChecksRule: Avoid checks on client-side hostname, that are not reliable due to DNS poisoning 

Medium 

Format String Injection 

OPT.KOTLIN.SEC.FormatStringInjection 

FormatStringInjectionRule: Exclude unsanitized user input from format strings 

Medium 

Serialization Injection 

OPT.KOTLIN.SEC.SerializationInjection 

SerializationInjection: Deserialization of untrusted data 

Medium 

Check External Storage Permission 

OPT.KOTLIN.ANDROID.CheckExternalStoragePermission 

CheckExternalStoragePermission: Check permission usage conformance (External Storage Permission) 

Medium 

Check Internet Permission 

OPT.KOTLIN.ANDROID.CheckInternetPermission 

CheckInternetPermission: Check permission usage conformance (Internet Permission) 

Medium 

Check Location Permission 

OPT.KOTLIN.ANDROID.CheckLocationPermission 

CheckLocationPermission: Check permission usage conformance (Location Permission) 

Medium 

Complex Interface 

OPT.KOTLIN.ComplexInterface 

ComplexInterface: Too complex interface. 

Medium 

Excessive Method Overloading 

OPT.KOTLIN.ExcessiveMethodOverloading 

ExcessiveMethodOverloading: Excessive method overloading. 

Medium 

Excessive Nesting Depth 

OPT.KOTLIN.ExcessiveNestingDepth 

ExcessiveNestingDepth: Excessive nesting depth. 

Medium 

For Each On Range 

OPT.KOTLIN.ForEachOnRange 

ForEachOnRange: ForEach on range. 

Medium 

Missing When Case 

OPT.KOTLIN.MissingWhenCase 

MissingWhenCase: Missing when case. 

Medium 

Detail Error Leak 

OPT.KOTLIN.SEC.DetailErrorLeak 

DetailErrorLeakRule: Do not send detail error information to client 

Medium 

Execution After Redirect 

OPT.KOTLIN.SEC.ExecutionAfterRedirect 

ExecutionAfterRedirect: Execution After Redirect (EAR) 

Medium 

Too Many Functions 

OPT.KOTLIN.TooManyFunctions 

TooManyFunctions: Too many functions. 

Medium 

Unconditional Jump In Loop 

OPT.KOTLIN.UnconditionalJumpInLoop 

UnconditionalJumpInLoop: Unconditional jump in loop. 

Medium 

Unreachable Code 

OPT.KOTLIN.UnreachableCode 

UnreachableCode: Unreachable ("dead") code. 

Medium 

Unused Private Function 

OPT.KOTLIN.UnusedPrivateFunction 

UnusedPrivateFunction: Unused private function. 

Medium 

Hardcoded Username Password 

OPT.KOTLIN.SEC.HardcodedUsernamePassword 

HardcodedUsernamePassword: Use of Hard-coded Credentials 

Medium 

JSON P Hijacking 

OPT.KOTLIN.SEC.JSONPHijacking 

JSONPHijacking: Sensitive information exposed through JSONP 

Medium 

Password In Configuration File 

OPT.KOTLIN.SEC.PasswordInConfigurationFile 

PasswordInConfigurationFile: Use of credentials into configuration file 

Medium 

Plaintext Storage Of Password 

OPT.KOTLIN.SEC.PlaintextStorageOfPassword 

PlaintextStorageOfPassword: Plaintext Storage of a Password 

Medium 

Privacy Violation 

OPT.KOTLIN.SEC.PrivacyViolation 

PrivacyViolation: Exposure of Private Information ('Privacy Violation') 

Medium 

Serializable Class Containing Sensitive Data 

OPT.KOTLIN.SEC.SerializableClassContainingSensitiveData 

SerializableClassContainingSensitiveData: Serializable Class Containing Sensitive Data 

In this section: