Secure Product Metrics

1. You are here:
2. Secure Product Metrics

On this page

• OWASP Top 10 2021 Coverage
• CWE Coverage
  • SAST
  • DAST
• GitLab Advisory Database for Dependency Scanning

This page shows various metrics for the products developed and maintained by the Secure Stage.

We are actively supporting Common Weakness Enumeration (CWE) as a standard vulnerability classification system and a common language to discuss software weaknesses.

Using CWE as a foundation has several advantages:

1. CWE is a comprehensive and well-documented system and can be considered as a de-facto standard for discussing software weaknesses.
2. CWE provides mappings to other vulnerability and classification systems and/or rankins (such as OWASP Top 10).
3. CWE provides a stable ontology: definitions can be added but existing definitions do not change (unlike OWASP rankings).

CWE is a hierarchical system with an ontology that is organized in a tree structure where a parent CWE is more general than its child; a child CWE captures a vulnerability in more specific terms than its parent.

In contrast to CWE, OWASP Top 10 provides a risk ranking of the most critical security vulnerabilities. The 10 risk categories change on a regular basis.

The table below shows the mapping between OWASP categories and their CWE counterparts. Note that the table includes transitive CWE mappings which are all the CWE mappings that are listed on the OWASP Top10 website including their child-CWEs.

OWASP	CWEs
A1: Broken Access Control	8, 9, 13, 15, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 61, 62, 64, 65, 66, 67, 69, 72, 73, 94, 95, 96, 97, 98, 114, 134, 178, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 213, 214, 215, 219, 220, 250, 256, 257, 258, 259, 260, 261, 262, 263, 264, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 312, 313, 314, 315, 316, 317, 318, 321, 322, 346, 350, 352, 359, 370, 374, 375, 377, 378, 379, 386, 402, 403, 419, 420, 421, 422, 424, 425, 426, 427, 428, 433, 441, 470, 472, 488, 491, 492, 493, 497, 498, 499, 500, 502, 520, 521, 522, 523, 524, 525, 526, 527, 528, 529, 530, 531, 532, 535, 536, 537, 538, 539, 540, 541, 548, 549, 550, 551, 552, 553, 555, 556, 565, 566, 582, 583, 593, 598, 599, 601, 603, 608, 612, 615, 619, 620, 621, 623, 627, 638, 639, 640, 642, 645, 647, 648, 651, 668, 706, 708, 732, 767, 784, 798, 804, 827, 836, 842, 862, 863, 913, 914, 915, 918, 921, 922, 923, 925, 926, 927, 939, 940, 941, 942, 1004, 1021, 1022, 1189, 1191, 1220, 1222, 1224, 1230, 1231, 1242, 1243, 1244, 1252, 1254, 1255, 1256, 1257, 1258, 1259, 1260, 1262, 1263, 1267, 1268, 1270, 1273, 1274, 1275, 1276, 1280, 1282, 1283, 1290, 1292, 1294, 1295, 1296, 1297, 1299, 1300, 1302, 1303, 1304, 1311, 1312, 1313, 1314, 1315, 1316, 1317, 1320, 1321, 1323, 1324, 1327, 1328, 1334, 1336
A2: Cryptographic Failures	5, 6, 259, 261, 296, 310, 319, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 347, 523, 587, 720, 757, 759, 760, 780, 798, 804, 818, 916, 1204, 1240, 1241
A3: Injection	15, 20, 37, 42, 43, 45, 46, 49, 50, 52, 53, 54, 56, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 93, 94, 95, 96, 97, 98, 99, 100, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 116, 117, 119, 120, 121, 122, 123, 124, 125, 126, 127, 129, 130, 134, 138, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 170, 179, 180, 181, 184, 190, 291, 384, 415, 416, 441, 462, 464, 466, 470, 471, 472, 473, 554, 564, 601, 606, 607, 610, 611, 621, 622, 624, 626, 627, 641, 643, 644, 652, 680, 692, 694, 781, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 805, 806, 822, 823, 824, 825, 838, 914, 917, 918, 943, 1021, 1173, 1174, 1236, 1284, 1285, 1286, 1287, 1288, 1289, 1336
A4: Insecure Design	5, 9, 13, 15, 73, 102, 105, 106, 108, 109, 114, 183, 209, 210, 211, 213, 235, 250, 256, 257, 258, 259, 260, 266, 267, 268, 269, 270, 271, 272, 273, 274, 280, 302, 307, 308, 309, 311, 312, 313, 314, 315, 316, 317, 318, 319, 321, 350, 419, 424, 425, 426, 430, 434, 444, 447, 451, 455, 472, 501, 520, 522, 523, 525, 535, 536, 537, 539, 549, 550, 554, 555, 556, 565, 579, 598, 602, 603, 614, 623, 636, 637, 638, 642, 646, 648, 650, 653, 654, 655, 656, 657, 671, 784, 798, 799, 807, 837, 840, 841, 927, 942, 1007, 1021, 1022, 1173, 1174, 1192, 1331
A5: Security Misconfiguration	2, 7, 11, 12, 13, 15, 16, 258, 260, 315, 520, 526, 537, 541, 547, 555, 611, 614, 756, 776, 942, 1004, 1032, 1174
A6: Vulnerable and Outdated Components	937, 1035, 1104
A7: Identification and Authentication Failures	13, 255, 256, 257, 258, 259, 260, 261, 262, 263, 287, 288, 289, 290, 291, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 321, 346, 350, 370, 384, 425, 521, 522, 523, 549, 555, 593, 599, 603, 613, 620, 640, 645, 798, 804, 836, 940, 1216, 1299, 1324
A8: Software and Data Integrity Failures	98, 345, 346, 347, 348, 349, 351, 352, 353, 354, 360, 422, 426, 494, 502, 565, 616, 646, 649, 784, 827, 829, 830, 915, 924, 1293, 1321
A9: Security Logging and Monitoring Failures	117, 223, 532, 778
A10: Server-Side Request Forgery (SSRF)	918

Below you can find the OWASP and CWE coverage for different secure products. All charts that are displayed below are powered by live anonymized vulnerability data from our security scans. These are vulnerabilities we are actively identifying in real-world customer usage of our security scanning tools.

OWASP Top 10 2021 Coverage

The chart below depicts the CWEs that map to the OWASP Top 10 2021. All of these CWEs are detected by GitLab's SAST/DAST and Dependency Scanning capabilities.

CWE Coverage

SAST

The table below shows the combined Common Weakness Enumerator (CWE) findings reported by our SAST analyzers on projects hosted on gitlab.com

Below you can find a list of which CWEs are detected by each analyzer:

eslint

flawfinder

gosec

nodejs-scan

semgrep

spotbugs

DAST

The table below shows the combined Common Weakness Enumerator (CWE) findings reported by our DAST analyzers on projects hosted on gitlab.com

GitLab Advisory Database for Dependency Scanning

Statistical information about advisories for dependency scanning is available on the GitLab Landing Page for Dependency Scanning Advisories.