Coverity Static Analysis Support For DISA-STIG

STIG IDDescriptionChecker NamesAPSC-DV-002210The application must set the HTTPOnly flag onsession cookies.CONFIG.JAVAEE MISSING HTTPONLYAPSC-DV-002220The application must set the secure flag onsession cookies.INSECURE COOKIE, INSECURE REMEMBER ME COOKIE,UNSAFE SESSION SETTINGAPSC-DV-002230The application must not expose session IDs.CONFIG.SPRING SECURITY SESSION FIXATION, SESSIONFIXATIONAPSC-DV-002240The application must destroy the session IDvalue and/or cookie on logoff or browser close.CONFIG.JSONWEBTOKEN NON EXPIRING TOKEN, CONFIG.UNSAFE SESSION TIMEOUT, CORS MISCONFIGURATIONAUDIT, HPKP MISCONFIGURATION, INSUFFICIENTPRESIGNED URL TIMEOUT, JSONWEBTOKENIGNORED EXPIRATION TIME, SENSITIVE DATA LEAK,TEMPORARY CREDENTIALS DURATION, UNENCRYPTEDSENSITIVE DATAAPSC-DV-002250Applications must use system-generatedsession identifiers that protect against sessionfixation.CONFIG.SPRING SECURITY SESSION FIXATION, SESSIONFIXATIONAPSC-DV-002260Applications must validate session identifiers.CONFIG.COOKIE SIGNING DISABLEDAPSC-DV-002280The application must not re-use or recyclesession IDs.CONFIG.JSONWEBTOKEN NON EXPIRING TOKEN, CONFIG.UNSAFE SESSION TIMEOUT, CORS MISCONFIGURATIONAUDIT, HPKP MISCONFIGURATION, INSUFFICIENTPRESIGNED URL TIMEOUT, JSONWEBTOKEN IGNOREDEXPIRATION TIME, TEMPORARY CREDENTIALS DURATIONAPSC-DV-002300The application must only allow the use of DoD- AWS VALIDATION DISABLED, BAD CERT VERIFICATION,approved certificate authorities for verificationCONFIG.MYSQL SSL VERIFY DISABLED, CONFIG.REQUESTof the establishment of protected sessions.STRICTSSL DISABLED, CONFIG.SPRING BOOT SSLDISABLED, HPKP MISCONFIGURATIONAPSC-DV-002370The application must maintain a separateexecution domain for each executing process.ARRAY VS SINGLETON, BAD ALLOC ARITHMETIC, BUFFERSIZE, COM.BAD FREE, COM.BSTR.ALLOC, COM.BSTR.CONV,INCOMPATIBLE CAST, INTEGER OVERFLOW, INVALIDATEITERATOR, MISMATCHED ITERATOR, MISSING ASSIGN,MISSING COPY, OVERRUN, REVERSE NEGATIVE, SIZECHECK,STRING OVERFLOW, STRING SIZE, TAINTED SCALAR, USEAFTER FREE, WRAPPER ESCAPE, UNSAFE FUNCTIONALITYThis ASD STIG ID is also partially covered by some checkers for the SEI CERT C/C , MISRA, and AUTOSAR standards. Contact Synopsys to obtain a full list ofcheckers that address the issues related to STIG ID APSC-DV-002370. Synopsyscustomers can also find this list in the Checker Reference technical guide.APSC-DV-002380Applications must prevent unauthorized andunintended information transfer via sharedsystem resources.SENSITIVE DATA LEAKAPSC-DV-002390XML-based applications must mitigate DoSattacks by using XML filters, parser options, orgateways.WEAK XML SCHEMA, XML EXTERNAL ENTITY, XMLINJECTION, XPATH INJECTION, UNSAFE XML PARSECONFIG synopsys.com 5

STIG IDAPSC-DV-002400DescriptionThe application must restrict the ability tolaunch Denial of Service (DoS) attacks againstitself or other information systems.Checker NamesBUSBOY MISCONFIGURATION, COM.ADDROF LEAK,COM.BAD FREE, COM.BSTR.ALLOC, CONFIG.CORDOVAEXCESSIVE LOGGING, CONFIG.DEAD AUTHORIZATION RULE,CONFIG.DWR DEBUG MODE, CONFIG.JAVAEE MISSINGSERVLET MAPPING, CONFIG.MISSING JSF2 SECURITYCONSTRAINT, CONFIG.MYBATIS MAPPER SQLI, CONFIG.SOCKETIO MAXHTTPBUFFERSIZE SET TOO LARGE,CONFIG.SPRING SECURITY DISABLE AUTH TAGS,CONFIG.STRUTS2 CONFIG BROWSER PLUGIN, CONFIG.STRUTS2 DYNAMIC METHOD INVOCATION, CONFIG.STRUTS2 ENABLED DEV MODE, CTOR DTOR LEAK,EXPRESS SESSION UNSAFE MEMORYSTORE, , FILEUPLOAD MISCONFIGURATION, FORMAT STRING INJECTION,IMPLICIT INTENT, HARDCODED CREDENTIALS, INSECUREDIRECT OBJECT REFERENCE, JSP SQL INJECTION,LOCALSTORAGE WRITE, LOCK, MISSING ASSIGN, MISSINGCOPY, MISSING PERMISSION FOR BROADCAST, MULTERMISCONFIGURATION, NEGATIVE RETURNS, NO EFFECT,PW.NON CONST PRINTF FORMAT STRING, RAILS DEFAULTROUTES, RAILS DEVISE CONFIG, RAILS MISSING FILTERACTION, RESOURCE LEAK, RUBY VULNERABLE LIBRARY,SENSITIVE DATA LEAK, SQLI, SQL NOT CONSTANT, STACKUSE, TAINTED SCALAR, UNENCRYPTED SENSITIVE DATA,UNLIMITED CONCURRENT SESSIONS, UNRESTRICTEDACCESS TO FILE, USE AFTER FREE, VIRTUAL DTOR, WEAKXML SCHEMA, WRAPPER ESCAPE, XML EXTERNAL ENTITYThis ASD STIG ID is also partially covered by some checkers for the SEI CERTC/C , SEI CERT Java, MISRA, and AUTOSAR standards. Contact Synopsys toobtain a full list of checkers that address the issues related to STIG ID APSCDV-002400. Synopsys customers can also find this list in the Checker Referencetechnical guide.APSC-DV-002440The application must protect the confidentialityand integrity of transmitted information.AWS SSL DISABLED, BAD CERT VERIFICATION, CONFIG.ATS INSECURE, CONFIG.REQUEST STRICTSSL DISABLED,CONFIG.SEQUELIZE INSECURE CONNECTION, CONFIG.SPRING BOOT SSL DISABLED, CONFIG.SPRING SECURITYLOGIN OVER HTTP, CORS MISCONFIGURATION, CORSMISCONFIGURATION AUDIT, DISABLED ENCRYPTION,HAPI SESSION MONGO MISSING TLS, HARDCODEDCREDENTIALS, INSECURE COMMUNICATION, INSECURECOOKIE, INSECURE MULTIPEER CONNECTION, INSECUREREMEMBER ME COOKIE, RISKY CRYPTO, SA.RISKY CRYPTO,SENSITIVE DATA LEAK, STRICT TRANSPORT SECURITY,UNENCRYPTED SENSITIVE DATA, UNSAFE SESSIONSETTING, UNSAFE BASIC AUTH, CERT MSC18-C, CERTSEC06-C, PMD.ApexInsecureEndpoint synopsys.com 6

STIG IDDescriptionChecker NamesAPSC-DV-002460The application must maintain theconfidentiality and integrity of informationduring preparation for transmission.AWS SSL DISABLED, CONFIG.CONNECTION STRINGPASSWORD, CONFIG.SPRING BOOT SSL DISABLED,CONFIG.SPRING SECURITY EXPOSED SESSIONID,CONFIG.SPRING SECURITY LOGIN OVER HTTP, CONFIG.SPRING SECURITY WEAK PASSWORD HASH, CONFIG.SPRING SECURITY UNSAFE AUTHENTICATION FILTER,CONFIG.WEAK SECURITY CONSTRAINT, CORSMISCONFIGURATION, CORS MISCONFIGURATION AUDIT,DC.WEAK CRYPTO, DISABLED ENCRYPTION, HARDCODEDCREDENTIALS, HPKP MISCONFIGURATION, INSECURE ACL,INSECURE COMMUNICATION, INSECURE NETWORK BIND,INSECURE RANDOM, INSECURE REFERRER POLICY,INSECURE SALT, PREDICTABLE RANDOM SEED, RAILSDEVISE CONFIG, REVERSE TABNABBING, RISKY CRYPTO,SA.RISKY CRYPTO, SECURE TEMP, SENSITIVE DATA LEAK,UNENCRYPTED SENSITIVE DATA, UNSAFE BASIC AUTH,UNSAFE BUFFER METHOD, WEAK GUARD, WEAKPASSWORD HASH, VERBOSE ERROR REPORTING, WEAKURL SANITIZATION, CERT MSC30-C, CERT SEC02-J, PMD.ApexSuggestUsingNamedCredAPSC-DV-002470The application must maintain theconfidentiality and integrity of informationduring reception.AWS SSL DISABLED, BAD CERT VERIFICATION, CONFIG.ATS INSECURE, CONFIG.REQUEST STRICTSSL DISABLED,CONFIG.SEQUELIZE INSECURE CONNECTION, CORSMISCONFIGURATION, CORS MISCONFIGURATION AUDIT,INSECURE COMMUNICATION, INSECURE MULTIPEERCONNECTION, RISKY CRYPTO, SA.RISKY CRYPTO,SENSITIVE DATA LEAK, STRICT TRANSPORT SECURITY,UNENCRYPTED SENSITIVE DATA, CERT SEC06-JAPSC-DV-002480The application must not disclose unnecessaryinformation to users.ANDROID CAPABILITY LEAK, ANDROID DEBUG MODE,ASPNET MVC VERSION HEADER, CONFIG.ANDROIDBACKUPS ALLOWED, CONFIG.ASPNET VERSION HEADER,CONFIG.ASP VIEWSTATE MAC, CONFIG.CONNECTIONSTRING PASSWORD, CONFIG.DEAD AUTHORIZATION RULE,CONFIG.DWR DEBUG MODE, CONFIG.DYNAMIC DATAHTML COMMENT, CONFIG.ENABLED DEBUG MODE,CONFIG.ENABLED TRACE MODE, CONFIG.JAVAEE MISSINGSERVLET MAPPING, CONFIG.MISSING CUSTOM ERRORPAGE, CONFIG.MISSING GLOBAL EXCEPTION HANDLER,CONFIG.MISSING JSF2 SECURITY CONSTRAINT, CONFIG.MYBATIS MAPPER SQLI, CONFIG.SEQUELIZE ENABLEDLOGGING, CONFIG.SPRING BOOT SENSITIVE LOGGING,CONFIG.SPRING SECURITY DEBUG MODE, CONFIG.SPRING SECURITY DISABLE AUTH TAGS, CONFIG.STRUTS2 CONFIG BROWSER PLUGIN, CONFIG.STRUTS2DYNAMIC METHOD INVOCATION, CONFIG.STRUTS2ENABLED DEV MODE, EXPOSED DIRECTORY LISTING,EXPOSED PREFERENCES, EXPRESS WINSTON SENSITIVELOGGING, EXPRESS X POWERED BY ENABLED, IMPLICITINTENT, INSECURE DIRECT OBJECT REFERENCE, JSP SQLINJECTION, (cont. on next page) synopsys.com 7

STIG IDAPSC-DV-002480DescriptionChecker NamesThe application must not disclose unnecessaryinformation to users.MISSING PERMISSION FOR BROADCAST, MISSINGPERMISSION ON EXPORTED COMPONENT, MOBILEID MISUSE, OPEN REDIRECT, RAILS DEFAULT ROUTES,RAILS MISSING FILTER ACTION, REVERSE TABNABBING,SENSITIVE DATA LEAK, SQLI, SQL NOT CONSTANT,UNRESTRICTED ACCESS TO FILE, UNENCRYPTEDSENSITIVE DATA, URL MANIPULATION, PMD.ApexOpenRedirectAPSC-DV-002485The application must not store sensitiveinformation in hidden fields.SENSITIVE DATA LEAKAPSC-DV-002490The application must protect from Cross-SiteScripting (XSS) vulnerabilities.ANGULAR SCE DISABLED, CONFIG.SPRING SECURITYDEPRECATED XSS HEADER, DOM XSS, REACTDANGEROUS INNERHTML, JINJA2 AUTOESCAPE DISABLED,VUE TEMPLATE UNSAFE VHTML DIRECTIVE, XSSAPSC-DV-002500The application must protect from Cross-SiteRequest Forgery (CSRF) vulnerabilities.CONFIG.CSURF IGNORE METHODS, CONFIG.DJANGO CSRF PROTECTION DISABLED, CONFIG.HANA XS PREVENT XSRF DISABLED, CONFIG.SPRINGSECURITY CSRF PROTECTION DISABLED, CONFIG.SYMFONY CSRF PROTECTION DISABLED, CSRF, RUBYVULNERABLE LIBRARY, CONFIG.BEEGO CSRF PROTECTIONDISABLED, PMD.VfCsrfAPSC-DV-002510The application must protect from commandinjection.OS CMD INJECTION, TAINTED ENVIRONMENT WITHEXECUTION, CERT IDS07-JAPSC-DV-002520The application must protect from canonicalrepresentation vulnerabilities.BUSBOY MISCONFIGURATION, FILE UPLOADMISCONFIGURATION, JSP DYNAMIC INCLUDE, MULTERMISCONFIGURATION, PATH MANIPULATION, RUBYVULNERABLE LIBRARY, CERT FIO32-CAPSC-DV-002530The application must validate all input.ANGULAR EXPRESSION INJECTION, CONFIG.UNSAFESESSION TIMEOUT, COOKIE SERIALIZER CONFIG,CORS MISCONFIGURATION AUDIT, DISTRUSTEDDATA DESERIALIZATION, FORMAT STRING INJECTION,HOST HEADER VALIDATION DISABLED, HPKPMISCONFIGURATION, INSUFFICIENT PRESIGNED URLTIMEOUT, JAVA CODE INJECTION, JCR INJECTION,JSP DYNAMIC INCLUDE, LDAP INJECTION, LDAPNOT CONSTANT, NEGATIVE RETURNS, NOSQL QUERYINJECTION, OGNL INJECTION, PATH MANIPULATION,PW.NON CONST PRINTF FORMAT STRING, REGEXINJECTION, REVERSE NEGATIVE, RUBY VULNERABLELIBRARY, SCRIPT CODE INJECTION, TAINTED SCALAR,TEMPLATE INJECTION, TEMPORARY CREDENTIALSDURATION, UNCHECKED ORIGIN, UNKNOWN LANGUAGEINJECTION, UNRESTRICTED DISPATCH, UNRESTRICTEDMESSAGE TARGET, UNSAFE DESERIALIZATION,UNSAFE JNI, UNSAFE NAMED QUERY, UNSAFEREFLECTION, XPATH INJECTION, CERT ARR00-C, CERTCTR55-CPP, CERT FIO30-C, CERT SER01-J, CERT STR53-CPP,CERT SER12-J(cont.) synopsys.com 8

STIG IDDescriptionChecker NamesAPSC-DV-002540The application must not be vulnerable to SQLInjection.CONFIG.MYBATIS MAPPER SQLI, DYNAMIC OBJECTATTRIBUTES, JSP SQL INJECTION, NOSQL QUERYINJECTION, RUBY VULNERABLE LIBRARY, SQLI, SQL NOTCONSTANT, PMD.ApexSOQLInjectionAPSC-DV-002550The application must not be vulnerable to XMLoriented attacks.WEAK XML SCHEMA, XML EXTERNAL ENTITY, XMLINJECTION, XPATH INJECTION, UNSAFE XML PARSECONFIGAPSC-DV-002560The application must not be subject to inputhandling vulnerabilities.NEGATIVE RETURNS, REVERSE NEGATIVE, TAINTEDSCALAR, CERT ARR00-C, CERT CTR55-CPP, CERT STR53-CPPAPSC-DV-002570The application must generate error messages CONFIG.CORDOVA EXCESSIVE LOGGING, CONFIG.that provide information necessary forSEQUELIZE ENABLED LOGGING, CONFIG.SPRING BOOTcorrective actions without revealing information SENSITIVE LOGGING, EXPRESS WINSTON SENSITIVEthat could be exploited by adversaries.LOGGING, INSUFFICIENT LOGGING, SENSITIVE DATA LEAK,UNLOGGED SECURITY EXCEPTIONAPSC-DV-002590The application must not be vulnerable tooverflow attacks.ALLOC FREE MISMATCH, ARRAY VS SINGLETON,BAD ALLOC ARITHMETIC, BAD ALLOC STRLEN,BAD CERT VERIFICATION, BAD FREE, BUFFER SIZE,BUFFER SIZE WARNING, CALL SUPER, CHAR IO, COM.ADDROF LEAK, COM.BAD FREE, COM.BSTR.ALLOC,COM.BSTR.CONV, CTOR DTOR LEAK, DELETE ARRAY,DELETE VOID, EVALUATION ORDER, INCOMPATIBLE CAST,INTEGER OVERFLOW, INVALIDATE ITERATOR, MISMATCHEDITERATOR, MISRA CAST, MISSING COPY, MISSING ASSIGN,NO EFFECT, NEGATIVE RETURNS, OVERRUN, PW.BAD CAST,PW.COVERSION TO POINTER LOSES BITS, RAILS DEVISECONFIG, READLINK, RESOURCE LEAK, REVERSE NEGATIVE,SENSITIVE DATA LEAK, SIGN EXTENSION, SIZECHECK, SQLI,STACK USE, STRING NULL, STRING OVERFLOW, STRINGSIZE, TAINTED SCALAR, USE AFTER FREE, VIRTUAL DTOR,WRAPPER ESCAPE, WRITE CONST FIELD, Y2K38 SAFETY,UNSAFE FUNCTIONALITYThis ASD STIG ID is also partially covered by some checkers for the SEI CERT C/C , MISRA, and AUTOSAR standards. Contact Synopsys to obtain a full list ofcheckers that address the issues related to STIG ID APSC-DV-002590. Synopsyscustomers can also find this list in the Checker Reference technical guide.APSC-DV-003100The application must use encryption toimplement key exchange and authenticateendpoints prior to establishing acommunication channel for key exchange.BAD CERT VERIFICATION, CONFIG.CSURF IGNOREMETHODS, CONFIG.DJANGO CSRF PROTECTION DISABLED,CONFIG.HANA XS PREVENT XSRF DISABLED, CONFIG.REQUEST STRICTSSL DISABLED, CONFIG.SPRINGSECURITY CSRF PROTECTION DISABLED, CONFIG.SYMFONY CSRF PROTECTION DISABLED, CONFIG.UNSAFE SESSION TIMEOUT, CORS MISCONFIGURATION,CORS MISCONFIGURATION AUDIT, CSRF, CSRFMISCONFIGURATION HAPI CRUMB, HOST HEADERVALIDATION DISABLED, HPKP MISCONFIGURATION,INSUFFICIENT PRESIGNED URL TIMEOUT,JSONWEBTOKEN UNTRUSTED DECODE, MULTERMISCONFIGURATION, RISKY CRYPTO, RUBY VULNERABLELIBRARY, SA.RISKY CRYPTO, TEMPORARY CREDENTIALSDURATION, UNCHECKED ORIGIN, WEAK GUARD,CERT SEC02-J, CERT SEC06-J, CONFIG.BEEGO CSRFPROTECTION DISABLED, PMD.VfCsrf synopsys.com 9

STIG IDDescriptionChecker NamesAPSC-DV-003110The application must not contain embeddedauthentication data.CONFIG.CONNECTION STRING PASSWORD, CONFIG.HARDCODED CREDENTIALS AUDIT, CONFIG.HARDCODEDTOKEN, CONFIG.SPRING SECURITY HARDCODEDCREDENTIALS, CONFIG.SPRING SECURITY REMEMBERME HARDCODED KEY, HARDCODED CREDENTIALS,UNSAFE BASIC AUTH, UNSAFE SESSION SETTING,CERT MSC03-J, PMD.ApexBadCrypto, PMD.ApexSuggestUsingNamedCredAPSC-DV-003215The application development team must followa set of coding standards.ALLOC FREE MISMATCH, ANONYMOUS DB CONNECTION,ASSERT SIDE EFFECT, ASSIGN NOT RETURNING STAR THIS,AWS VALIDATION DISABLED, BAD COMPARE, BAD EQ,BAD EQ TYPES, BAD OVERRIDE, BAD SHIFT, BAD SIZEOF,BUFFER SIZE, CALL SUPER, CHAR IO, CHROOT, COM.ADDROF LEAK, COM.BAD FREE, COM.BSTR.BAD COMPARE,COM.BSTR.NE NON BSTR, CONFIG.COOKIES MISSINGHTTPONLY, CONFIG.COOKIE SIGNING DISABLED, CONFIG.DEAD AUTHORIZATION RULE, CONFIG.DUPLICATESERVLET DEFINITION, CONFIG.HTTP VERB TAMPERING,CONFIG.SPRING BOOT SSL DISABLED, CONFIG.SPRINGSECURITY SESSION FIXATION, CONFIG.STRUTS2 DYNAMICMETHOD INVOCATION, CONFIG.UNSAFE SESSION TIMEOUT,CONSTANT EXPRESSION RESULT, COOKIE INJECTION,COPY PASTE ERROR, COPY WITHOUT ASSIGN, CORSMISCONFIGURATION, CORS MISCONFIGURATION AUDIT,DC.DANGEROUS, DC.DEADLOCK, DC.STREAM BUFFER,DC.STRING BUFFER, DEADCODE, EL INJECTION, ENUM ASBOOLEAN, EVALUATION ORDER, EXPLICIT THIS EXPECTED,HFA, HIBERNATE BAD HASHCODE, HPKP MISCONFIGURATION,IDENTICAL BRANCHES, IDENTIFIER TYPO, INCOMPATIBLECAST, INSECURE HTTP FIREWALL, INVALIDATE ITERATOR,MISMATCHED ITERATOR, MISRA CAST, MISSING ASSIGN,MISSING AUTHZ, MISSING BREAK, MISSING COMMA,MISSING COPY, MISSING MOVE ASSIGNMENT, MISSINGRESTORE, MISSING RETURN, MISSING THROW, MIXEDENUMS, NEGATIVE RETURNS, NESTING INDENT MISMATCH,NO EFFECT, OPEN ARGS, ORM LOAD NULL CHECK,ORM LOST UPDATE, ORM UNNECESSARY GET, OVERFLOWBEFORE WIDEN, PARSE ERROR, PASS BY VALUE, PROPERTYMIXUP, PW.ASSIGN WHERE COMPARE MEANT, PW.BAD CAST,PW.BAD PRINTF FORMAT STRING, PW.BRANCH PASTINITIALIZATION, PW.CONVERSION TO POINTER LOSES BITS,PW.DIVIDE BY ZERO, PW.EXPR HAS NO EFFECT, PW.INCLUDERECURSION, PW.INTEGER OVERFLOW, PW.INTEGERTOO LARGE, PW.NON CONST PRINTF FORMAT STRING,PW.RETURN PTR TO LOCAL TEMP, PW.SHIFT COUNTTOO LARGE, PW.TOO FEW PRINTF ARGS, PW.TOO MANYPRINTF ARGS, PW.UNSIGNED COMPARE WITH NEGATIVE,READLINK, REGEX CONFUSION, RETURN LOCAL, SECURETEMP, SELF ASSIGN, SIGN EXTENSION, SIZEOF MISMATCH,SLEEP, STRAY SEMICOLON, STREAM FORMAT STATE,SWAPPED ARGUMENTS, TAINT ASSERT, UNINIT, UNINIT CTOR,UNINTENDED GLOBAL, UNINTENDED INTEGER DIVISION,UNREACHABLE, UNUSED VALUE, USELESS CALL, USERPOINTER, USE AFTER FREE, VARARGS, VIRTUAL DTOR,WRAPPER ESCAPE, WRONG METHOD, UNINIT NONNULLThis ASD STIG ID is also partially covered by checkers for the SEI CERT C/C , SEICERT Java, MISRA, and AUTOSAR standards. Contact Synopsys to obtain a full listof checkers that address the issues related to STIG ID APSC-DV-003215. Synopsyscustomers can also find this list in the Checker Reference technical guide. synopsys.com 10

STIG IDDescriptionChecker NamesAPSC-DV-003235The application must not be subject to errorhandling vulnerabilities.BAD COMPARE, CHECKED RETURN, ORM LOAD NULLCHECK, NEGATIVE RETURNS, REVERSE NEGATIVE,UNCAUGHT EXCEPTAPSC-DV-003300The designer must ensure uncategorizedor emerging mobile code is not used inapplications.FB.FI PUBLIC SHOULD BE PROTECTED, CERT SER05-JAPSC-DV-003320Protections against DoS attacks must beimplemented.BAD FREE, COM.BSTR.CONV, DC.DEADLOCK, DIVIDE BYZERO, FORWARD NULL, INFINITE LOOP, LOCK INVERSION,NULL RETURNS, ORDER REVERSAL, PW.DIVIDE BY ZERO,REVERSE INULL, TAINTED SCALAR, AUTOSAR C 14-A5-3-2,AUTOSAR C 14-A5-6-1, AUTOSAR C 14-A8-4-10, CERTCON35-C, CERT CON53-CPP, CERT ERR08-J, CERT EXP34-C,CERT INT33-C, CERT MEM34-C, CERT STR38-C, CERT STR51CPP, CERT EXP01-J, CERT NUM02-J, UNINIT NONNULLThis datasheet applies to Coverity 2021.06 and later releases.The Synopsys differenceSynopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity.Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysissolutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, andapplication behavior.For more information about the SynopsysSoftware Integrity Group, visit us online atwww.synopsys.com/software.Synopsys, Inc.690 E Middlefield RoadMountain View, CA 94043 USAU.S. Sales: 800.873.8193International Sales: 1 415.321.5237Email: sig-info@synopsys.com 2021 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available atwww.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. June 2021 synopsys.com 11

(DoD’s) Defense Information Systems Agency (DISA). To date DISA has issued more than 450 STIGs, and one of them focuses on application security. This Application Security and Development (ASD) STIG is derived from National Institute of Standards and Technology’s (NIST) 800-53 and