PL/SQL Scan rules
Contrast Scan supports these rules for PL/SQL.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Command Injection | OPT.PLSQL.SEC.CommandInjection | CommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Critical | Cross Site Scripting | OPT.PLSQL.SEC.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | Header Manipulation | OPT.PLSQL.SEC.HeaderManipulation | HeaderManipulation: Unvalidated data in HTTP response header or in cookies ('HTTP Response Splitting') |
Critical | Persisted Cross Site Scripting | OPT.PLSQL.SEC.PersistedCrossSiteScripting | PersistedCrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | Second Order SQL Injection | OPT.PLSQL.SEC.SecondOrderSqlInjection | SecondOrderSqlInjection: SQL Injection (Second-Order). |
Critical | Server Side Request Forgery | OPT.PLSQL.SEC.ServerSideRequestForgery | ServerSideRequestForgery: Server-Side Request Forgery (SSRF) |
Critical | Sleep Injection | OPT.PLSQL.SEC.SleepInjection | SleepInjection: Denial of Service by externally controlled sleep time |
Critical | SQL Injection | OPT.PLSQL.SEC.SqlInjection | SqlInjection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Critical | D V D P | OPT.PLSQL.DC_PLSQL.DVDP | DVDP: Do not declare variables out of the main Declare |
Critical | N L S M | OPT.PLSQL.DC_PLSQL.NLSM | NLSM: Find PLSQL with more than 1000 lines |
Critical | Pkg Comment | OPT.PLSQL.DOC_PLSQL.PkgComment | PkgComment: Packages without comments |
Critical | C N L | OPT.PLSQL.GEN_PLSQL.CNL | CNL: CLOB, NO LONG |
Critical | D E W O | OPT.PLSQL.GEN_PLSQL.DEWO | DEWO: Use 'RAISE_APPLICATION_ERROR' after 'EXCEPTION WHEN OTHERS' |
Critical | D S W | OPT.PLSQL.GEN_PLSQL.DSW | DSW: Find DELETE queries without WHERE |
Critical | E S P R | OPT.PLSQL.GEN_PLSQL.ESPR | ESPR: Do not put queries after RAISE and RAISE_APPLICATION_ERROR |
Critical | I N C I | OPT.PLSQL.GEN_PLSQL.INCI | INCI: Put names to the columns in which data is inserted |
Critical | J O I N | OPT.PLSQL.GEN_PLSQL.JOIN | JOIN: JOINS must have alias |
Critical | T G | OPT.PLSQL.GEN_PLSQL.TG | TG: Identifying the existence of triggers to prevent problems of long-term maintainability |
Critical | Transaction | OPT.PLSQL.GEN_PLSQL.Transaction | Transaction: Use of INSERT, UPDATE and DELETE with COMMIT and ROLLBACK invocations |
Critical | U S W | OPT.PLSQL.GEN_PLSQL.USW | USW: Find UPDATE queries without WHERE |
Critical | V A R2 | OPT.PLSQL.GEN_PLSQL.VAR2 | VAR2: Define variables as VARCHAR2, nor as VARCHAR |
Critical | Avoid Goto | OPT.PLSQL.MISC_PLSQL.AvoidGoto | AvoidGoto: Do not use GOTO statement |
Critical | Dead Goto | OPT.PLSQL.MISC_PLSQL.DeadGoto | DeadGoto: Detects dead code after GOTO statements |
Critical | Avoid calling LN | OPT.PLSQL.MISC_PLSQL.NLN | NLN: Avoid calling LN |
Critical | P C D L | OPT.PLSQL.MISC_PLSQL.PCDL | PCDL: Link parameters supported by DatabaseLink |
Critical | P D D | OPT.PLSQL.MISC_PLSQL.PDD | PDD: Passing parameters not associated to the DD in the Data Access Logic (LD) or Business Logic (LN) |
Critical | P E P P | OPT.PLSQL.MISC_PLSQL.PEPP | PEPP: External packages must contain public procedures |
Critical | P P A D | OPT.PLSQL.MISC_PLSQL.PPAD | PPAD: Passing parameters not associated to the DD in the Data Access Logic (LD) |
Critical | Big Size | OPT.PLSQL.OYR_PLSQL.BigSize | BigSize: Detects functions and procedures too large |
Critical | Check Data | OPT.PLSQL.OYR_PLSQL.CheckData | CheckData: It is not allowed to confirm the existence of a record before updating it |
Critical | Dml Returning | OPT.PLSQL.OYR_PLSQL.DmlReturning | DmlReturning: Do not access to inserted, updated or deleted registers to obtain fields (before or after the operation) |
Critical | E A D | OPT.PLSQL.OYR_PLSQL.EAD | EAD: Avoid DUAL access |
Critical | Total Group | OPT.PLSQL.OYR_PLSQL.TotalGroup | TotalGroup: Do not use GROUP BY in selects without aggregation functions |
Critical | Total Group Agr | OPT.PLSQL.OYR_PLSQL.TotalGroupAgr | TotalGroupAgr: Do not use GROUP BY in fields that are not present in the select |
Critical | U C R | OPT.PLSQL.OYR_PLSQL.UCR | UCR: One process has a unique commit or rollback associated |
Critical | Forbidden Call | OPT.PLSQL.SEC.ForbiddenCall | ForbiddenCall: Dangerous procedure / function called. |
Critical | Path Traversal | OPT.PLSQL.SEC.PathTraversal | PathTraversal: External Control of File Name or Path |
Critical | Too Broad Grant | OPT.PLSQL.SEC.TooBroadGrant | TooBroadGrant: Too broad privileges granted. |
Critical | Weak Cryptographic Hash | OPT.PLSQL.SEC.WeakCryptographicHash | WeakCryptographicHash: Weak cryptographic hashes cannot guarantee data integrity |
Critical | Weak Symmetric Encryption Algorithm | OPT.PLSQL.SEC.WeakSymmetricEncryptionAlgorithm | WeakSymmetricEncryptionAlgorithm: Weak symmetric encryption algorithm. |
High | U V B | OPT.PLSQL.GEN_PLSQL.UVB | UVB: Use BIND variables |
High | Open Redirect | OPT.PLSQL.SEC.OpenRedirect | OpenRedirect: Do not allow to control the URL used in a redirect by an unvalidated input |
High | E C U | OPT.PLSQL.CNU_PLSQL.ECU | ECU: Avoid non-used constants |
High | E V U | OPT.PLSQL.CNU_PLSQL.EVU | EVU: Avoid non-used variables |
High | Useless Param | OPT.PLSQL.CNU_PLSQL.UselessParam | UselessParam: Detects parameters declared but not used |
High | N D C F | OPT.PLSQL.DC_PLSQL.NDCF | NDCF: Avoid declaring cursors 'on the fly' |
High | Proc Comment | OPT.PLSQL.DOC_PLSQL.ProcComment | ProcComment: Functions and procedures without comments |
High | A M | OPT.PLSQL.GEN_PLSQL.AM | AM: Put a date mask to TO_DATE and TO_CHAR functions |
High | Avoid Dual | OPT.PLSQL.GEN_PLSQL.AvoidDual | AvoidDual: Do not use SELECT over DUAL table |
High | Avoid Inner | OPT.PLSQL.GEN_PLSQL.AvoidInner | AvoidInner: Detects the use of INNER JOIN |
High | C O F | OPT.PLSQL.GEN_PLSQL.COF | COF: Do not use conditions and filter operators |
High | D H | OPT.PLSQL.GEN_PLSQL.DH | DH: Avoid hints |
High | G E R2 | OPT.PLSQL.GEN_PLSQL.GER2 | GER2: WHEN OTHERS clause must be included in exceptions |
High | G E R3 | OPT.PLSQL.GEN_PLSQL.GER3 | GER3: Avoid WHEN OTHERS THEN NULL in exceptions |
High | N D F Exception | OPT.PLSQL.GEN_PLSQL.NDFException | NDFException: Check NO_DATA_FOUND exception when SELECT with INTO statement is used |
High | W L | OPT.PLSQL.GEN_PLSQL.WL | WL: Use WHILE instead of EXIT WHEN |
High | E P P C | OPT.PLSQL.MISC_PLSQL.EPPC | EPPC: Avoid pasing complex parameters |
High | L E P | OPT.PLSQL.MISC_PLSQL.LEP | LEP: No parameters in external logic |
High | Repeated Code | OPT.PLSQL.MISC_PLSQL.RepeatedCode | RepeatedCode: Avoid repeating the same query code |
High | Avoid Func | OPT.PLSQL.OYR_PLSQL.AvoidFunc | AvoidFunc: Checks that there are no queries that use functions over fields of the tables in the WHERE condition |
High | Count Asterisk | OPT.PLSQL.OYR_PLSQL.CountAsterisk | CountAsterisk: Do not use COUNT(*) function |
High | Double Select | OPT.PLSQL.OYR_PLSQL.DoubleSelect | DoubleSelect: Do not use the same WHERE clause in two consecutive queries |
High | Cursor Snarfing | OPT.PLSQL.SEC.CursorSnarfing | CursorSnarfing: Cursor Snarfing |
High | Insecure Randomness | OPT.PLSQL.SEC.InsecureRandomness | InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks. |
Info | Useless Query | OPT.PLSQL.CNU_PLSQL.UselessQuery | UselessQuery: It warns about queries that obtain the field which is used as filter in the WHERE clause |
Info | C A B | OPT.PLSQL.DOC_PLSQL.CAB | CAB: Include comments in headers |
Info | E N E C | OPT.PLSQL.FM_PLSQL.ENEC | ENEC: Names must not be between inverted commas |
Info | L B | OPT.PLSQL.FM_PLSQL.LB | LB: Blank lines in some sentences |
Info | M E I | OPT.PLSQL.FM_PLSQL.MEI | MEI: Code lines indentation |
Info | Nomenclator | OPT.PLSQL.FM_PLSQL.Nomenclator | Nomenclator: Use a prefix in the name of variables, parameteres, exceptions and cursors |
Info | DB L | OPT.PLSQL.GEN_PLSQL.DBL | DBL: Find @dblink |
Info | Avoid independent procedures called from system logic | OPT.PLSQL.MISC_PLSQL.EPILS | EPILS: Avoid using independent procedures called from the system logic |
Info | Avoid using procedures/functions from DD | OPT.PLSQL.MISC_PLSQL.NPFD | NPFD: Avoid using procedures/functions from DD |
Info | N E D V | OPT.PLSQL.NOM_PLSQL.NEDV | NEDV: Specific naming convention for variables |
Info | P A Q2 | OPT.PLSQL.NOM_PLSQL.PAQ2 | PAQ2: Specific naming convention for packages |
Info | P R M A | OPT.PLSQL.NOM_PLSQL.PRMA | PRMA: Write reserved words in capital letters |
Info | Condition Order | OPT.PLSQL.OYR_PLSQL.ConditionOrder | ConditionOrder: Looks for control contructions with more than one condition |
Info | Default Authid | OPT.PLSQL.SEC.DefaultAuthid | DefaultAuthid: No explicit AUTHID clause. |
Low | Useless Var | OPT.PLSQL.CNU_PLSQL.UselessVar | UselessVar: Detects local variables declared but not used |
Low | Func Not Null | OPT.PLSQL.DC_PLSQL.FuncNotNull | FuncNotNull: Do not define parameters as NOT NULL in functions and procedures |
Low | L C N I | OPT.PLSQL.DC_PLSQL.LCNI | LCNI: Incorrect literal and numeric constants |
Low | Cap Word | OPT.PLSQL.FM_PLSQL.CapWord | CapWord: Use uppercase for PLSQL keywords |
Low | C C | OPT.PLSQL.GEN_PLSQL.CC | CC: Close all opened cursors |
Low | C R C | OPT.PLSQL.GEN_PLSQL.CRC | CRC: Close all opened ref cursors |
Low | Do not qualify related tables | OPT.PLSQL.GEN_PLSQL.CTI | CTI: Do not qualify related tables |
Low | G E R0 | OPT.PLSQL.GEN_PLSQL.GER0 | GER0: Make correct errors management |
Low | G E R1 | OPT.PLSQL.GEN_PLSQL.GER1 | GER1: Must be at least a block of exceptions by routine |
Low | J O I N2 | OPT.PLSQL.GEN_PLSQL.JOIN2 | JOIN2: Use the specific alias for JOINS |
Low | N U L L | OPT.PLSQL.GEN_PLSQL.NULL | NULL: Use NULL instead of |
Low | Oracle Tables | OPT.PLSQL.GEN_PLSQL.OracleTables | OracleTables: Avoid using tables and views of the Oracle Data Dictionary |
Low | U I L O | OPT.PLSQL.GEN_PLSQL.UILO | UILO: Use IN instead of OR |
Low | Use Constants | OPT.PLSQL.GEN_PLSQL.UseConstants | UseConstants: Do not use literals in the WHERE clauses |
Low | Var Loop | OPT.PLSQL.GEN_PLSQL.VarLoop | VarLoop: Do not initialize variables in a loop |
Low | C T E | OPT.PLSQL.NOM_PLSQL.CTE | CTE: Constant names must be written in capital letters |
Low | Avoid Neg | OPT.PLSQL.OYR_PLSQL.AvoidNeg | AvoidNeg: Do not use negations in the WHERE clauses |
Low | In Selects | OPT.PLSQL.OYR_PLSQL.InSelects | InSelects: Do not use SELECT with subqueries in the FROM or WHERE clauses |
Low | N V L | OPT.PLSQL.OYR_PLSQL.NVL | NVL: Avoid using NVL function |
Low | Use Between | OPT.PLSQL.OYR_PLSQL.UseBetween | UseBetween: Do not use '< [] {} |
Medium | C I F A | OPT.PLSQL.GEN_PLSQL.CIFA | CIFA: Use CASE instead nested if elseif |
Medium | Def Sintax | OPT.PLSQL.GEN_PLSQL.DefSintax | DefSintax: Defines the syntax in the SELECT statements |
Medium | E F C W | OPT.PLSQL.GEN_PLSQL.EFCW | EFCW: Avoid use of functions in WHERE clause |
Medium | N A P E | OPT.PLSQL.GEN_PLSQL.NAPE | NAPE: Do not access to the to the errors stack |
Medium | N F S0 | OPT.PLSQL.GEN_PLSQL.NFS0 | NFS0: Do not format output |
Medium | N F S1 | OPT.PLSQL.GEN_PLSQL.NFS1 | NFS1: Do not format the output with RPAD function |
Medium | N F S2 | OPT.PLSQL.GEN_PLSQL.NFS2 | NFS2: Do not format the output with LPAD function |
Medium | N F S3 | OPT.PLSQL.GEN_PLSQL.NFS3 | NFS3: Do not format the output with RTRIM function |
Medium | N F S4 | OPT.PLSQL.GEN_PLSQL.NFS4 | NFS4: Do not format the output with LTRIM function |
Medium | Oracle Var | OPT.PLSQL.GEN_PLSQL.OracleVar | OracleVar: Do not use control variables outside EXCEPTION blocks |
Medium | P P R | OPT.PLSQL.GEN_PLSQL.PPR | PPR: Use reference parameters |
Medium | U H N | OPT.PLSQL.GEN_PLSQL.UHN | UHN: Use NOCOPY |
Medium | Undef Case | OPT.PLSQL.GEN_PLSQL.UndefCase | UndefCase: Checks WHEN clauses are using the same control variable |
Medium | Table Alias | OPT.PLSQL.MISC_PLSQL.TableAlias | TableAlias: Define an alias for each table |
Medium | E X C | OPT.PLSQL.NOM_PLSQL.EXC | EXC: Naming convention for exceptions |
Medium | E X C G | OPT.PLSQL.NOM_PLSQL.EXCG | EXCG: Naming convention for global exceptions in packages |
Medium | F U N C | OPT.PLSQL.NOM_PLSQL.FUNC | FUNC: Correct format for functions |
Medium | F U N C2 | OPT.PLSQL.NOM_PLSQL.FUNC2 | FUNC2: Naming convention for functions |
Medium | F V C | OPT.PLSQL.NOM_PLSQL.FVC | FVC: Correct format for variables |
Medium | I D T | OPT.PLSQL.NOM_PLSQL.IDT | IDT: Variable names prefix |
Medium | P A Q | OPT.PLSQL.NOM_PLSQL.PAQ | PAQ: Correct format for packages |
Medium | P R M | OPT.PLSQL.NOM_PLSQL.PRM | PRM: Specific naming convention for parameters |
Medium | P R O C | OPT.PLSQL.NOM_PLSQL.PROC | PROC: Correct format for procedures |
Medium | Avoid Percent | OPT.PLSQL.OYR_PLSQL.AvoidPercent | AvoidPercent: Warns about queries that use LIKE filters and '%' patterns |
Medium | I C T | OPT.PLSQL.OYR_PLSQL.ICT | ICT: Put columns of the table to query |
Medium | Too Much Or | OPT.PLSQL.OYR_PLSQL.TooMuchOr | TooMuchOr: Do not perform several OR checks over the same field |
Medium | Suspicious Code | OPT.PLSQL.SEC.SuspiciousCode | SuspiciousCode: Potential malicious code. |
Medium | Unqualified Item At Invoker Rights Routine | OPT.PLSQL.SEC.UnqualifiedItemAtInvokerRightsRoutine | UnqualifiedItemAtInvokerRightsRoutine: Unqualified database items in AUTHID CURRENT_USER routine. |
Medium | User Controlled SQL Primary Key | OPT.PLSQL.SEC.UserControlledSQLPrimaryKey | UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query |
Medium | Hardcoded Credential | OPT.PLSQL.SEC.HardcodedCredential | HardcodedCredential: Use of Hard-coded Credentials |