Skip to main content

Scala Scan rules

 

Contrast Scan supports these rules for Scala.

Severity

Contrast rule

Engine rule ID

Description

Critical 

Too Broad CORS Policy 

OPT.SCALA.SECURITY.TooBroadCORSPolicy 

TooBroadCORSPolicy: Too much allowed origins in HTML5 Access-Control-Allow-Origin header 

Critical 

Too Much Origins Allowed 

OPT.SCALA.SECURITY.TooMuchOriginsAllowed 

TooMuchOriginsAllowedRule: CORS policy (Cross-origin resource sharing) too broad 

Critical 

Code Injection 

OPT.SCALA.SECURITY.CodeInjection 

CodeInjection: Avoid non-neutralized user-controlled input in dynamic code evaluation 

Critical 

Command Injection 

OPT.SCALA.SECURITY.CommandInjection 

CommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 

Critical 

Connection String Parameter Pollution 

OPT.SCALA.SECURITY.ConnectionStringParameterPollution 

ConnectionStringParameterPollution: Connection string polluted with untrusted input 

Critical 

Cross Site Scripting 

OPT.SCALA.SECURITY.CrossSiteScripting 

CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 

Critical 

Http Splitting 

OPT.SCALA.SECURITY.HttpSplitting 

HttpSplitting: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') 

Critical 

JSON Injection 

OPT.SCALA.SECURITY.JSONInjection 

JSONInjection: Avoid using non-neutralized user-controlled input into JSON entities - JSON Injection 

Critical 

Ldap Injection 

OPT.SCALA.SECURITY.LdapInjection 

LdapInjection: Avoid non-neutralized user-controlled input in LDAP search filters 

Critical 

Mail Command Injection 

OPT.SCALA.SECURITY.MailCommandInjection 

MailCommandInjection: Mail Command Injection 

Critical 

No SQL Injection 

OPT.SCALA.SECURITY.NoSQLInjection 

NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) 

Critical 

Process Control 

OPT.SCALA.SECURITY.ProcessControl 

ProcessControl: Library loaded from untrusted source 

Critical 

Regex Injection 

OPT.SCALA.SECURITY.RegexInjection 

RegexInjection: Prevent denial of service attack through malicious regular expression ('Regex Injection') 

Critical 

Same Origin Method Execution 

OPT.SCALA.SECURITY.SameOriginMethodExecution 

SameOriginMethodExecution: Same Origin Method Execution (SOME) 

Critical 

SQL Injection 

OPT.SCALA.SECURITY.SqlInjection 

SqlInjection: Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) 

Critical 

Xml Entity Injection 

OPT.SCALA.SECURITY.XmlEntityInjection 

XmlEntityInjection: XML entity injection 

Critical 

Accessibility Subversion 

OPT.SCALA.SECURITY.AccessibilitySubversion 

AccessibilitySubversionRule: Java access restriction subverted (Reflection) 

Critical 

Anonymous Ldap Bind 

OPT.SCALA.SECURITY.AnonymousLdapBind 

AnonymousLdapBind: Access Control - Anonymous LDAP Bind 

Critical 

Password In Redirect 

OPT.SCALA.SECURITY.PasswordInRedirect 

PasswordInRedirect: Password Management - Password in Redirect 

Critical 

Path Traversal 

OPT.SCALA.SECURITY.PathTraversal 

PathTraversal: Avoid non-neutralized user-controlled input composed in a pathname to a resource 

Critical 

Hardcoded Crypto Key 

OPT.SCALA.SECURITY.HardcodedCryptoKey 

HardcodedCryptoKey: Hardcoded cryptographic keys 

Critical 

Non Random IV With CBC Mode 

OPT.SCALA.SECURITY.NonRandomIVWithCBCMode 

NonRandomIVWithCBCMode: Not using a Random IV with CBC Mode 

Critical 

Weak Cryptographic Hash 

OPT.SCALA.SECURITY.WeakCryptographicHash 

WeakCryptographicHash: Weak cryptographic hash 

Critical 

Weak Encryption 

OPT.SCALA.SECURITY.WeakEncryption 

WeakEncryption: Weak symmetric encryption algorithm 

High 

Akka Security Misconfiguration 

OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration 

AkkaSecurityMisconfiguration: Security misconfiguration in Akka framework. 

High 

Play Security Misconfiguration 

OPT.SCALA.SECURITY.PlaySecurityMisconfiguration 

PlaySecurityMisconfiguration: Security misconfiguration in Play framework. 

High 

Cross Site Request Forgery 

OPT.SCALA.SECURITY.CrossSiteRequestForgery 

CrossSiteRequestForgery: Cross-site request forgery (CSRF) 

High 

External Control Of Configuration Setting 

OPT.SCALA.SECURITY.ExternalControlOfConfigurationSetting 

ExternalControlOfConfigurationSetting: External Control of System or Configuration Setting 

High 

Http Parameter Pollution 

OPT.SCALA.SECURITY.HttpParameterPollution 

HttpParameterPollution: HTTP parameter pollution (HPP) 

High 

Open Redirect 

OPT.SCALA.SECURITY.OpenRedirect 

OpenRedirect: Do not allow to control the URL used in a redirect by an unvalidated input 

High 

Resource Injection 

OPT.SCALA.SECURITY.ResourceInjection 

ResourceInjection: Improper control of resource identifiers ("Resource Injection") 

High 

Server Side Request Forgery 

OPT.SCALA.SECURITY.ServerSideRequestForgery 

ServerSideRequestForgery: Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) 

High 

Trust Boundary Violation 

OPT.SCALA.SECURITY.TrustBoundaryViolation 

TrustBoundaryViolation: Trust boundary violation 

High 

Unsafe Reflection 

OPT.SCALA.SECURITY.UnsafeReflection 

UnsafeReflection: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 

High 

XPath Injection 

OPT.SCALA.SECURITY.XPathInjection 

XPathInjection: Improper Neutralization of Data within XPath Expressions ('XPath Injection') 

High 

Xslt Injection 

OPT.SCALA.SECURITY.XsltInjection 

XsltInjection: XML Injection (aka Blind XPath Injection) 

High 

Hardcoded Ip 

OPT.SCALA.SECURITY.HardcodedIp 

HardcodedIp: Do not write IP address in source code 

High 

Information Exposure Through Error Message 

OPT.SCALA.SECURITY.InformationExposureThroughErrorMessage 

InformationExposureThroughErrorMessage: Avoid sensitive information exposure through error messages 

High 

Cookies In Security Decision 

OPT.SCALA.SECURITY.CookiesInSecurityDecision 

CookiesInSecurityDecision: Reliance on Cookies without Validation and Integrity Checking in a Security Decision 

High 

User Controlled SQL Primary Key 

OPT.SCALA.SECURITY.UserControlledSQLPrimaryKey 

UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query 

High 

Hardcoded Salt 

OPT.SCALA.SECURITY.HardcodedSalt 

HardcodedSalt: A hardcoded salt can compromise system security 

High 

Inadequate Padding 

OPT.SCALA.SECURITY.InadequatePadding 

InadequatePadding: Inadequate padding 

High 

Insecure Transport 

OPT.SCALA.SECURITY.InsecureTransport 

InsecureTransport: Insecure transport 

High 

Insufficient Key Size 

OPT.SCALA.SECURITY.InsufficientKeySize 

InsufficientKeySize: Weak cryptography, insufficient key length 

Info 

Log Forging 

OPT.SCALA.SECURITY.LogForging 

LogForging: Improper Output Neutralization for Logs 

Medium 

Plaintext Storage In A Cookie Rule 

OPT.SCALA.SECURITY.PlaintextStorageInACookieRule 

PlaintextStorageInACookieRule: Cleartext Storage of Sensitive Information in a Cookie 

Medium 

Unsafe Cookie 

OPT.SCALA.SECURITY.UnsafeCookie 

UnsafeCookie: Generate server-side cookies with adequate security properties 

Medium 

Avoid Host Name Checks 

OPT.SCALA.SECURITY.AvoidHostNameChecks 

AvoidHostNameChecks: Avoid checks on client-side hostname, that are not reliable due to DNS poisoning 

Medium 

Format String Injection 

OPT.SCALA.SECURITY.FormatStringInjection 

FormatStringInjection: Exclude unsanitized user input from format strings 

Medium 

Serialization Injection 

OPT.SCALA.SECURITY.SerializationInjection 

SerializationInjection: Deserialization of untrusted data 

Medium 

Hardcoded Username Password 

OPT.SCALA.SECURITY.HardcodedUsernamePassword 

HardcodedUsernamePassword: Use of Hard-coded Credentials 

Medium 

JSON P Hijacking 

OPT.SCALA.SECURITY.JSONPHijacking 

JSONPHijacking: Sensitive information exposed through JSONP 

Medium 

Password In Configuration File 

OPT.SCALA.SECURITY.PasswordInConfigurationFile 

PasswordInConfigurationFile: Use of credentials into configuration file 

Medium 

Avoid Native Calls 

OPT.SCALA.SECURITY.AvoidNativeCalls 

AvoidNativeCalls: Avoid calls from Scala to native (JNI) code 

Medium 

Plaintext Storage Of Password 

OPT.SCALA.SECURITY.PlaintextStorageOfPassword 

PlaintextStorageOfPassword: Plaintext Storage of a Password 

Medium 

Privacy Violation 

OPT.SCALA.SECURITY.PrivacyViolation 

PrivacyViolation: Exposure of Private Information ('Privacy Violation') 

Medium 

Serializable Class Containing Sensitive Data 

OPT.SCALA.SECURITY.SerializableClassContainingSensitiveData 

SerializableClassContainingSensitiveData: Serializable Class Containing Sensitive Data 

Medium 

Detail Error Leak 

OPT.SCALA.SECURITY.DetailErrorLeak 

DetailErrorLeakRule: Do not send detail error information to client 

Medium 

Execution After Redirect 

OPT.SCALA.SECURITY.ExecutionAfterRedirect 

ExecutionAfterRedirect: Execution After Redirect (EAR) 

Medium 

Potential Infinite Loop 

OPT.SCALA.SECURITY.PotentialInfiniteLoop 

PotentialInfiniteLoop: Loop with Unreachable Exit Condition ('Infinite Loop') 

Medium 

Unchecked Input In Loop Condition 

OPT.SCALA.SECURITY.UncheckedInputInLoopCondition 

UncheckedInputInLoopCondition: Unchecked input in loop condition 

Medium 

Insecure Randomness 

OPT.SCALA.SECURITY.InsecureRandomness 

InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks 

 

In this section: