Table A11. RQ2: findings for CWE top 25:2023 risk categories-II (number of vulnerabilities found).
The highest number of vulnerabilities found by each tool are shown in bold.
| Category | Yasca | Prog-pilot | Synk | Sonar-Qube | OWASP ZAP | Wapiti | Vega | Iron-WASP | Burp-Suite |
|---|---|---|---|---|---|---|---|---|---|
| CWE-190: Integer Overflow or Wraparound | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-502: De-serialization of Untrusted Data | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 207 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | 0 | 4 | 0 | 0 | 38 | 0 | 0 | 0 | 0 |
| CWE-798: Use of Hard-coded Credentials | 1,348 | 0 | 117 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-918: Server-Side Request Forgery (SSRF) | 0 | 0 | 36 | 0 | 0 | 0 | 0 | 16 | 0 |
| CWE-306: Missing Authentication for Critical Function | 0 | 0 | 89 | 45 | 0 | 0 | 0 | 0 | 0 |
| CWE-362: Concurrent | 97 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | |||||||||
| CWE-269: Improper Privilege Management | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-94: Improper Control of Generation of Code (’Code Injection’) | 0 | 0 | 8 | 0 | 0 | 0 | 0 | 20 | 0 |
| CWE-863: Incorrect Authorization | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| CWE-276: Incorrect Default Permissions | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |