Sttor Documentation

Appearance

Scala Rules

SAST rules for Scala that identify insecure patterns in application code.

Scala Rule Catalog

IDTitleSeverityCategory
CODE-0042OS Command InjectionCRITICALInjection
CODE-0057Hard-coded Password in Database Connection StringCRITICALSecrets
CODE-0058Hard-coded Database PasswordCRITICALSecrets
CODE-0074Template InjectionCRITICALInjection
CODE-0011HTTP Response SplittingHIGHInjection
CODE-0012HTTP Response Splitting VulnerabilityHIGHInjection
CODE-0013HTTP Response Splitting VulnerabilityHIGHInjection
CODE-0015Permissive Cross-domain Policy with Untrusted DomainsHIGHWeb
CODE-0033Unencrypted Server SocketHIGHCrypto
CODE-0034Unvalidated RedirectHIGHWeb
CODE-0035Improper Certificate ValidationHIGHCrypto
CODE-0036Path Traversal in File UploadHIGHAccessControl
CODE-0039AWS Query InjectionHIGHInjection
CODE-0040Bean Property InjectionHIGHInjection
CODE-0041CRLF Injection in LogsHIGHLogging
CODE-0043SQL Injection VulnerabilityHIGHInjection
CODE-0044SQL Injection VulnerabilityHIGHInjection
CODE-0045Expression Language InjectionHIGHInjection
CODE-0046Server-side redirect path constructed with user inputHIGHInjection
CODE-0047HTTP Parameter PollutionHIGHWeb
CODE-0051Path Traversal VulnerabilityHIGHInjection
CODE-0052Path Traversal VulnerabilityHIGHInjection
CODE-0053Path TraversalHIGHInjection
CODE-0054SQL InjectionHIGHInjection
CODE-0056LDAP Entry PoisoningHIGHInjection
CODE-0059Hard-coded PasswordHIGHSecrets
CODE-0060Insecure inherited permissionsHIGHAccessControl
CODE-0061Overly Permissive File PermissionHIGHInsecureConfig
CODE-0063Improper Control of Generation of Code ('Code Injection')HIGHInjection
CODE-0065Insecure SMTP SSL ConfigurationHIGHInsecureConfig
CODE-0066SMTP Header InjectionHIGHInjection
CODE-0068Server-Side Request Forgery (SSRF)HIGHWeb
CODE-0070Use of Externally-Controlled Format StringHIGHInjection
CODE-0075External Control of System or Configuration SettingHIGHInsecureConfig
CODE-0078Deserialization of Untrusted DataHIGHDeserialization
CODE-0080Deserialization of Untrusted DataHIGHDeserialization
CODE-0083Cross-Site Scripting (XSS) via Improper Input NeutralizationHIGHWeb
CODE-0087Cross-site Scripting (XSS) VulnerabilityHIGHWeb
CODE-0089XML External Entity (XXE) VulnerabilityHIGHInjection
CODE-0009Sensitive Cookie in HTTPS Session Without 'Secure' AttributeMEDIUMWeb
CODE-0010Sensitive Cookie in HTTPS Session Without 'Secure' AttributeMEDIUMWeb
CODE-0014Trust Boundary ViolationMEDIUMWeb
CODE-0017Inadequate Encryption StrengthMEDIUMCrypto
CODE-0018Inadequate Encryption StrengthMEDIUMCrypto
CODE-0019Inadequate Encryption StrengthMEDIUMCrypto
CODE-0020Inadequate Encryption StrengthMEDIUMCrypto
CODE-0021Missing Support for Integrity CheckMEDIUMCrypto
CODE-0022Padding Oracle Vulnerability in CBC Mode with PKCS5PaddingMEDIUMCrypto
CODE-0023Use of Custom MessageDigestMEDIUMCrypto
CODE-0024Inadequate encryption strengthMEDIUMInsecureConfig
CODE-0025Inadequate Encryption StrengthMEDIUMCrypto
CODE-0026Inadequate Encryption StrengthMEDIUMCrypto
CODE-0027Use of a Broken or Risky Cryptographic AlgorithmMEDIUMCrypto
CODE-0028Use of RSA Algorithm without OAEPMEDIUMCrypto
CODE-0029Inadequate Encryption StrengthMEDIUMCrypto
CODE-0030Improper Certificate ValidationMEDIUMCrypto
CODE-0031Insecure JAX-RS EndpointMEDIUMWeb
CODE-0032Insecure JAX-WS EndpointMEDIUMWeb
CODE-0037Path Traversal VulnerabilityMEDIUMAccessControl
CODE-0038Improper Input Validation in FormMEDIUMWeb
CODE-0048LDAP InjectionMEDIUMInjection
CODE-0049Expression injection (OGNL)MEDIUMInjection
CODE-0050Path Traversal VulnerabilityMEDIUMInjection
CODE-0055LDAP Anonymous AuthenticationMEDIUMAuth
CODE-0062Overly Permissive File PermissionMEDIUMInsecureConfig
CODE-0064Improper Control of Generation of Code ('Code Injection')MEDIUMInjection
CODE-0067Server-Side Request Forgery (SSRF)MEDIUMWeb
CODE-0069Incorrect Type Conversion or CastMEDIUMGeneric
CODE-0071Improper Handling of Unicode EncodingMEDIUMGeneric
CODE-0072Modification After ValidationMEDIUMInjection
CODE-0073Normalize strings before validating themMEDIUMInjection
CODE-0077Exposure of sensitive system informationMEDIUMSecrets
CODE-0079Ignoring XML comments in SAMLMEDIUMAuth
CODE-0082XPath InjectionMEDIUMInjection
CODE-0084Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')MEDIUMWeb
CODE-0085Cross-Site Scripting (XSS) via Disabling HTML EscapingMEDIUMWeb
CODE-0086Servlet Reflected Cross Site Scripting VulnerabilityMEDIUMWeb
CODE-0088XML External Entity (XXE) InjectionMEDIUMInjection
CODE-0090XML External Entity (XXE) VulnerabilityMEDIUMInjection
CODE-0091XML External Entity (XXE) VulnerabilityMEDIUMInjection
CODE-0092XML External Entity (XXE) VulnerabilityMEDIUMInjection
CODE-0093XML External Entity (XXE) VulnerabilityMEDIUMInjection
CODE-0007Sensitive Cookie Without 'HttpOnly' FlagLOWWeb
CODE-0008Insecure Cookie CreationLOWWeb
CODE-0076Information Exposure Through an Error MessageLOWErrorHandling
CODE-0676Stack trace exposure via outputLOWErrorHandling

Total Rules: 86

Click on any rule ID to view detailed information, examples, and remediation guidance.

Copyright © 2026 Sttor