Table A10. RQ2: findings for CWE top 25:2023 risk categories-I (number of vulnerabilities found).
The highest number of vulnerabilities found by each tool are shown in bold.
| Category | Yasca | Prog-pilot | Synk | Sonar-Qube | OWASP ZAP | Wapiti | Vega | Iron-WASP | Burp-Suite |
|---|---|---|---|---|---|---|---|---|---|
| CWE-787: Out-of-bounds Write | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 13,797 | 3,436 | 823 | 0 | 122 | 68 | 39 | 113 | 44 |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 21 | 4,056 | 1,291 | 0 | 219 | 110 | 307 | 336 | 200 |
| CWE-416: Use After Free | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 0 | 0 | 0 | 0 | 4 | 0 | 0 | 37 | 0 |
| CWE-20: Improper Input Validation | 0 | 0 | 59 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-125: Out-of-bounds Read | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 0 | 36 | 246 | 0 | 421 | 43 | 2,652 | 792 | 0 |
| CWE-352: Cross-Site Request Forgery (CSRF) | 0 | 0 | 0 | 0 | 9,725 | 0 | 0 | 0 | 0 |
| CWE-434:Unrestricted Upload of File with Dangerous Type | 0 | 0 | 43 | 0 | 0 | 0 | 0 | 109 | 0 |
| CWE-862: Missing Authorization | 0 | 0 | 862 | 0 | 578 | 0 | 0 | 0 | 0 |
| CWE-476: NULL Pointer Dereference | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-287: Improper Authentication | 0 | 0 | 458 | 30 | 0 | 0 | 0 | 0 | 0 |