Swift Scan rules
Contrast Scan supports these rules for Swift.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Code Injection | OPT.SWIFT.SECURITY.CodeInjection | CodeInjection: Avoid non-neutralized user-controlled input in dynamic code evaluation |
Critical | Command Injection | OPT.SWIFT.SECURITY.CommandInjection | CommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Critical | Connection String Parameter Pollution | OPT.SWIFT.SECURITY.ConnectionStringParameterPollution | ConnectionStringParameterPollution: Connection string polluted with untrusted input |
Critical | Cross Site Scripting | OPT.SWIFT.SECURITY.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | Header Manipulation | OPT.SWIFT.SECURITY.HeaderManipulation | HeaderManipulation: Avoid including unvalidated data in HTTP response header or in Cookies |
Critical | JSON Injection | OPT.SWIFT.SECURITY.JSONInjection | JSONInjection: Avoid using non-neutralized user-controlled input into JSON entities - JSON Injection |
Critical | Mail Command Injection | OPT.SWIFT.SECURITY.MailCommandInjection | MailCommandInjection: Mail Command Injection |
Critical | No SQL Injection | OPT.SWIFT.SECURITY.NoSQLInjection | NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) |
Critical | Regex Injection | OPT.SWIFT.SECURITY.RegexInjection | RegexInjection: Prevent denial of service attack through malicious regular expression ('Regex Injection') |
Critical | SQL Injection | OPT.SWIFT.SECURITY.SqlInjection | SqlInjection: Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) |
Critical | Xpath Injection | OPT.SWIFT.SECURITY.XpathInjection | XpathInjection: Avoid XPath expressions formed with non neutralized user input |
Critical | Missing Password Field Masking | OPT.SWIFT.SECURITY.MissingPasswordFieldMasking | MissingPasswordFieldMasking: Password input field is not masked |
Critical | Avoid Dangerous Try | OPT.SWIFT.RELIABILITY.AvoidDangerousTry | AvoidDangerousTry: Avoid using try operator along with ! operator |
Critical | Path Traversal | OPT.SWIFT.SECURITY.PathTraversal | PathTraversal: Avoid non-neutralized user-controlled input composed in a pathname to a resource |
Critical | Weak Cryptographic Hash | OPT.SWIFT.SECURITY.WeakCryptographicHash | WeakCryptographicHash: Weak cryptographic hashes cannot guarantee data integrity |
Critical | Weak Cryptographic Hash Salt | OPT.SWIFT.SECURITY.WeakCryptographicHashSalt | WeakCryptographicHashSalt: Weak cryptographic salts cannot guarantee data integrity |
Critical | Weak Cryptographic Key | OPT.SWIFT.SECURITY.WeakCryptographicKey | WeakCryptographicKey: Weak keys used for cryptographic purposes |
Critical | Weak Encryption | OPT.SWIFT.SECURITY.WeakEncryption | WeakEncryption: Weak symmetric encryption algorithm |
Critical | Weak Key Derivation Iteration | OPT.SWIFT.SECURITY.WeakKeyDerivationIteration | WeakKeyDerivationIteration: Too weak iteration count on key derivation |
Critical | Weak Key Derivation Password | OPT.SWIFT.SECURITY.WeakKeyDerivationPassword | WeakKeyDerivationPassword: Empty or nil password used in key derivation |
Critical | Weak Symmetric Encryption Initialization Vector | OPT.SWIFT.SECURITY.WeakSymmetricEncryptionInitializationVector | WeakSymmetricEncryptionInitializationVector: Weak encryption initialization vector |
Critical | Weak Symmetric Encryption Mode Of Operation | OPT.SWIFT.SECURITY.WeakSymmetricEncryptionModeOfOperation | WeakSymmetricEncryptionModeOfOperation: Do not use weak modes of operation with symmetric encryption |
High | Http Parameter Pollution Rule | OPT.SWIFT.SECURITY.HttpParameterPollutionRule | HttpParameterPollutionRule: HTTP parameter pollution (HPP) |
High | Log Forging | OPT.SWIFT.SECURITY.LogForging | LogForging: Improper Output Neutralization for Logs |
High | Open Redirect | OPT.SWIFT.SECURITY.OpenRedirect | OpenRedirect: Do not allow to control the URL used in a redirect by an unvalidated input |
High | Resource Injection | OPT.SWIFT.SECURITY.ResourceInjection | ResourceInjection: Improper control of resource identifiers ("Resource Injection") |
High | Unsafe Reflection | OPT.SWIFT.SECURITY.UnsafeReflection | UnsafeReflection: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
High | URL Scheme Hijacking | OPT.SWIFT.SECURITY.URLSchemeHijacking | URLSchemeHijacking: URL scheme hijacking though user input |
High | XML Entity Injection | OPT.SWIFT.SECURITY.XMLEntityInjection | XMLEntityInjection: XML entity injection |
High | XML Injection | OPT.SWIFT.SECURITY.XMLInjection | XMLInjection: XML Injection (aka Blind XPath Injection) |
High | Hardcoded Ip | OPT.SWIFT.SECURITY.HardcodedIp | HardcodedIp: Do not write IP address in source code |
High | Avoid Maximum Location Accuracy When Possible | OPT.SWIFT.EFFICIENCY.AvoidMaximumLocationAccuracyWhenPossible | AvoidMaximumLocationAccuracyWhenPossible: Avoid using by default the best location accuracy |
High | Cache Date Formatters | OPT.SWIFT.EFFICIENCY.CacheDateFormatters | CacheDateFormatters: Cache a single instance from NSDateFormatter types instead of creating multiple instances |
High | Do Not Instantiate Temporal Objects Loops | OPT.SWIFT.EFFICIENCY.DoNotInstantiateTemporalObjectsLoops | DoNotInstantiateTemporalObjectsLoops: Avoid allocating temporal objects in loop bodies |
High | Minimize Bluetooth Interaction | OPT.SWIFT.EFFICIENCY.MinimizeBluetoothInteraction | MinimizeBluetoothInteraction: Avoid using CBCentralManagerScanOptionAllowDuplicatesKey constant as a scan option |
High | Class Cyclomatic Complexity | OPT.SWIFT.MAINTAINABILITY.ClassCyclomaticComplexity | ClassCyclomaticComplexity: Avoid using classes with high cyclomatic complexity values |
High | Dead Stores | OPT.SWIFT.MAINTAINABILITY.DeadStores | DeadStores: Bound local variable value is never used |
High | Method Cyclomatic Complexity | OPT.SWIFT.MAINTAINABILITY.MethodCyclomaticComplexity | MethodCyclomaticComplexity: Avoid using methods with high cyclomatic complexity values |
High | Unused Local Var | OPT.SWIFT.MAINTAINABILITY.UnusedLocalVar | UnusedLocalVar: Unused local variable |
High | Hardcoded Absolute Path | OPT.SWIFT.PORTABILITY.HardcodedAbsolutePath | HardcodedAbsolutePath: Do not hardcode absolute paths |
High | Avoid Empty Catch Blocks | OPT.SWIFT.RELIABILITY.AvoidEmptyCatchBlocks | AvoidEmptyCatchBlocks: Avoid use empty CATCH blocks |
High | User Controlled SQL Primary Key | OPT.SWIFT.SECURITY.UserControlledSQLPrimaryKey | UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query |
High | Insecure Transport | OPT.SWIFT.SECURITY.InsecureTransport | InsecureTransport: Insecure transport |
Low | Password In Comment Rule | OPT.SWIFT.SECURITY.PasswordInCommentRule | PasswordInCommentRule: Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security |
Low | Avoid Locks | OPT.SWIFT.EFFICIENCY.AvoidLocks | AvoidLocks: Avoid using locks |
Low | Avoid Commented Out Code | OPT.SWIFT.MAINTAINABILITY.AvoidCommentedOutCode | AvoidCommentedOutCode: Avoid commented out code blocks |
Low | Functions Should Not Return Constants | OPT.SWIFT.MAINTAINABILITY.FunctionsShouldNotReturnConstants | FunctionsShouldNotReturnConstants: Functions shouldn't return the same constant value |
Low | Review Useless Empty Blocks | OPT.SWIFT.MAINTAINABILITY.ReviewUselessEmptyBlocks | ReviewUselessEmptyBlocks: Avoid using loops and conditional statements with empty blocks |
Low | Unused Parameter | OPT.SWIFT.MAINTAINABILITY.UnusedParameter | UnusedParameter: Unused function parameter |
Low | Only One Return | OPT.SWIFT.RELIABILITY.OnlyOneReturn | OnlyOneReturn: Too many return statements in a function or method |
Low | Unconditional Jump Statements | OPT.SWIFT.RELIABILITY.UnconditionalJumpStatements | UnconditionalJumpStatements: Wrong use of unconditional jump statements |
Medium | Plaintext Storage In A Cookie Rule | OPT.SWIFT.SECURITY.PlaintextStorageInACookieRule | PlaintextStorageInACookieRule: Cleartext Storage of Sensitive Information in a Cookie |
Medium | Unsafe Cookie | OPT.SWIFT.SECURITY.UnsafeCookie | UnsafeCookie: Generate server-side cookies with adequate security properties |
Medium | Serialization Injection | OPT.SWIFT.SECURITY.SerializationInjection | SerializationInjection: Deserialization of untrusted data |
Medium | String Format Injection | OPT.SWIFT.SECURITY.StringFormatInjection | StringFormatInjection: Exclude unsanitized user input from format strings |
Medium | Hardcoded Username Password | OPT.SWIFT.SECURITY.HardcodedUsernamePassword | HardcodedUsernamePassword: Use of Hard-coded Credentials |
Medium | HTTP Response Caching Leak | OPT.SWIFT.SECURITY.HTTPResponseCachingLeak | HTTPResponseCachingLeak: HTTP sensitive responses being cached |
Medium | Insecure Temporary File | OPT.SWIFT.SECURITY.InsecureTemporaryFile | InsecureTemporaryFile: Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
Medium | Keyboard Caching Leak | OPT.SWIFT.SECURITY.KeyboardCachingLeak | KeyboardCachingLeak: Sensitive data leaked through keyboard cache |
Medium | Password In Configuration File | OPT.SWIFT.SECURITY.PasswordInConfigurationFile | PasswordInConfigurationFile: Use of credentials into configuration file |
Medium | Pasteboard Caching Leak | OPT.SWIFT.SECURITY.PasteboardCachingLeak | PasteboardCachingLeak: Sensitive data leaked through the pasteboard caching mechanism |
Medium | Privacy Violation | OPT.SWIFT.SECURITY.PrivacyViolation | PrivacyViolation: Exposure of Private Information ('Privacy Violation') |
Medium | Sensitive Core Data | OPT.SWIFT.SECURITY.SensitiveCoreData | SensitiveCoreData: Sensitive data stored into CoreData('Privacy Violation') |
Medium | Sensitive Data Accessed From Itunes | OPT.SWIFT.SECURITY.SensitiveDataAccessedFromItunes | SensitiveDataAccessedFromItunes: Exposure of Private Information ('Privacy Violation') |
Medium | Sensitive SQL | OPT.SWIFT.SECURITY.SensitiveSQL | SensitiveSQL: Sensitive data stored into a SQL database('Privacy Violation') |
Medium | Sensitive No SQL | OPT.SWIFT.SECURITY.SensitiveNoSQL | SensitiveNoSQL: Sensitive data stored into a NoSQL database('Privacy Violation') |
Medium | Sensitive User Defaults | OPT.SWIFT.SECURITY.SensitiveUserDefaults | SensitiveUserDefaults: Sensitive data stored into UserDefaults('Privacy Violation') |
Medium | Serializable Class Containing Sensitive Data | OPT.SWIFT.SECURITY.SerializableClassContainingSensitiveData | SerializableClassContainingSensitiveData: Serializable Class Containing Sensitive Data |
Medium | Screen Caching Leak | OPT.SWIFT.SECURITY.ScreenCachingLeak | ScreenCachingLeak: Sensitive data leaked through the screen caching mechanism when app is backgrounded |
Medium | Third Party Keyboard Allowed | OPT.SWIFT.SECURITY.ThirdPartyKeyboardAllowed | ThirdPartyKeyboardAllowed: Avoid exposing sensitive data to third party keyboards. |
Medium | Avoid Comparing Count To Zero | OPT.SWIFT.EFFICIENCY.AvoidComparingCountToZero | AvoidComparingCountToZero: Use isEmpty to check is a collection is empty |
Medium | Stop Scanning On Device Found | OPT.SWIFT.EFFICIENCY.StopScanningOnDeviceFound | StopScanningOnDeviceFound: Stop scan when a device has been already found |
Medium | Vars Should Be Constants | OPT.SWIFT.EFFICIENCY.VarsShouldBeConstants | VarsShouldBeConstants: Vars that never change should be constants |
Medium | Avoid Excessive Nested Statements | OPT.SWIFT.MAINTAINABILITY.AvoidExcessiveNestedStatements | AvoidExcessiveNestedStatements: Avoid too deeply nested statements |
Medium | Avoid Same Class Field Names | OPT.SWIFT.MAINTAINABILITY.AvoidSameClassFieldNames | AvoidSameClassFieldNames: Avoid using the same name for attibute than the class name |
Medium | Avoid Same Method Field Names | OPT.SWIFT.MAINTAINABILITY.AvoidSameMethodFieldNames | AvoidSameMethodFieldNames: Methods and class fields should not to be different only by capitalization |
Medium | Avoid Many Parameters Function | OPT.SWIFT.MAINTAINABILITY.AvoidManyParametersFunction | AvoidManyParametersFunction: Too much arguments in function or method |
Medium | Density Of Comments | OPT.SWIFT.MAINTAINABILITY.DensityOfComments | DensityOfComments: Source code must be properly commented |
Medium | Nested Switch Statement | OPT.SWIFT.MAINTAINABILITY.NestedSwitchStatement | NestedSwitchStatement: Avoid to nest switch statements |
Medium | One Statement Per Line | OPT.SWIFT.MAINTAINABILITY.OneStatementPerLine | OneStatementPerLine: Use only one statement per line |
Medium | Unused Private Function | OPT.SWIFT.MAINTAINABILITY.UnusedPrivateFunction | UnusedPrivateFunction: Avoid unused private methods and constructors |
Medium | Avoid Forced Type Conversion | OPT.SWIFT.RELIABILITY.AvoidForcedTypeConversion | AvoidForcedTypeConversion: Avoid using forced type conversion |
Medium | Buffer Overflow | OPT.SWIFT.RELIABILITY.BufferOverflow | BufferOverflow: Potential memory corruption |
Medium | Local Vars With Global Name | OPT.SWIFT.RELIABILITY.LocalVarsWithGlobalName | LocalVarsWithGlobalName: Same name for local and global variable |
Medium | Potential Encoding Buffer Overflow | OPT.SWIFT.RELIABILITY.PotentialEncodingBufferOverflow | PotentialEncodingBufferOverflow: Potential memory corruption |
Medium | Unreachable Code | OPT.SWIFT.RELIABILITY.UnreachableCode | UnreachableCode: Avoid unreachable code |
Medium | Use Weak References With Delegate Protocols | OPT.SWIFT.RELIABILITY.UseWeakReferencesWithDelegateProtocols | UseWeakReferencesWithDelegateProtocols: Delegate protocols must be class-only |
Medium | Avoid S M S | OPT.SWIFT.SECURITY.AvoidSMS | AvoidSMS: Avoid performing SMS-related operations |
Medium | Biometric Without Message | OPT.SWIFT.SECURITY.BiometricWithoutMessage | BiometricWithoutMessage: User is asked for fingerprints without reason |
Medium | Execution After Redirect | OPT.SWIFT.SECURITY.ExecutionAfterRedirect | ExecutionAfterRedirect: Execution After Redirect (EAR) |
Medium | Missing Content Validation | OPT.SWIFT.SECURITY.MissingContentValidation | MissingContentValidation: Missing Content Validation |
Medium | Potential Infinite Loop | OPT.SWIFT.SECURITY.PotentialInfiniteLoop | PotentialInfiniteLoop: Loop with Unreachable Exit Condition ('Infinite Loop') |
Medium | Server Trust Credential Check | OPT.SWIFT.SECURITY.ServerTrustCredentialCheck | ServerTrustCredentialCheck: Evaluate server certificate trust chain |
Medium | Unchecked Input In Loop Condition | OPT.SWIFT.SECURITY.UncheckedInputInLoopCondition | UncheckedInputInLoopCondition: Unchecked input in loop condition |