precedents top-level constant
Precedent rules for common patterns.
Implementation
const List<String> precedents = [
'Logging high-value secrets in plaintext is a vulnerability; logging URLs '
'is assumed safe',
'UUIDs can be assumed unguessable and do not need validation',
'Environment variables and CLI flags are trusted values — attacks requiring '
'control of an env var are invalid',
'Resource management issues (memory or file descriptor leaks) are not valid',
'Subtle or low-impact web vulnerabilities (tabnabbing, XS-Leaks, prototype '
'pollution, open redirects) should not be reported unless extremely high '
'confidence',
'React and Angular are generally secure against XSS — do not report XSS '
'unless using dangerouslySetInnerHTML, bypassSecurityTrustHtml, or similar',
'Most GitHub Action workflow vulnerabilities are not exploitable in practice',
'Lack of permission checking in client-side JS/TS is not a vulnerability — '
'validation is the server\'s responsibility',
'Most iPython notebook (.ipynb) vulnerabilities are not exploitable in practice',
'Logging non-PII data is not a vulnerability, even if potentially sensitive',
'Only include MEDIUM findings if they are obvious and concrete issues',
'Command injection in shell scripts is generally not exploitable since they '
'don\'t run with untrusted user input',
];