Setting expectations, what is the source of truth for CWEs I can expect codeQL to find?

[shay-legit]

Hi

Is this list below the one I should look at for supported CWEs per language? Can I expect relevant CWE-s for the specific language to be found (in case of a matching issue)? is there somewhere else I should be looking at?

https://codeql.github.com/codeql-query-help/full-cwe/

I am mostly asking after testing a few things with "WebGoat" and not seeing issues that should have been found according to the above table.

Thank you.

[hvitved]

Hi

Yes, I believe that is the list of CWEs that we currently support. Note that some CWEs are extremely broad in scope, for example CWE-200, where sensitive information can mean a lot of different things, so claiming full support is virtually impossible.

Out of interest, which results were you missing on WebGoat?