| Framework / library | Package | Flow sources | Taint & value steps | Sinks (total) | CWE‑022 Path injection | CWE‑036 Path traversal | CWE‑079 Cross-site scripting | CWE‑089 SQL injection | CWE‑090 LDAP injection | CWE‑094 Code injection | CWE‑319 Cleartext transmission |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Android | android.* |
45 | 392 | 93 | 3 | 67 | |||||
| Apache Commons Collections | org.apache.commons.collections, org.apache.commons.collections4 |
1600 | |||||||||
| Apache Commons IO | org.apache.commons.io |
22 | |||||||||
| Apache Commons Lang | org.apache.commons.lang3 |
423 | |||||||||
| Apache Commons Text | org.apache.commons.text |
272 | |||||||||
| Apache HttpComponents | org.apache.hc.core5.*, org.apache.http |
5 | 136 | 28 | 3 | 25 | |||||
| Google Guava | com.google.common.* |
728 | 6 | 6 | |||||||
| JSON-java | org.json |
236 | |||||||||
| Java Standard Library | java.* |
3 | 524 | 30 | 13 | 7 | 10 | ||||
| Java extensions | javax.*, jakarta.* |
54 | 552 | 32 | 4 | 1 | 1 | 2 | |||
| Spring | org.springframework.* |
29 | 469 | 91 | 19 | 14 | 29 | ||||
| Others | androidx.slice, cn.hutool.core.codec, com.esotericsoftware.kryo.io, com.esotericsoftware.kryo5.io, com.fasterxml.jackson.core, com.fasterxml.jackson.databind, com.opensymphony.xwork2.ognl, com.unboundid.ldap.sdk, flexjson, groovy.lang, groovy.util, jodd.json, net.sf.saxon.s9api, ognl, org.apache.commons.codec, org.apache.commons.jexl2, org.apache.commons.jexl3, org.apache.commons.ognl, org.apache.directory.ldap.client.api, org.apache.ibatis.jdbc, org.apache.shiro.codec, org.apache.shiro.jndi, org.codehaus.groovy.control, org.dom4j, org.hibernate, org.jooq, org.mvel2, org.xml.sax, org.xmlpull.v1, play.mvc, ratpack.core.form, ratpack.core.handling, ratpack.core.http, ratpack.exec, ratpack.form, ratpack.func, ratpack.handling, ratpack.http, ratpack.util |
44 | 269 | 151 | 14 | 18 | |||||
| Totals | 180 | 5623 | 431 | 13 | 6 | 10 | 107 | 33 | 1 | 66 |