CWE-117, added html tables back.

BartKaras1128 · web-flow · commit 887a7336877a · 2025-10-31T12:19:04.000Z
Signed-off-by: Bartlomiej Karas &lt;moezarts@gmail.com&gt;
diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-117/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-117/README.md
@@ -94,34 +94,27 @@ WARNING:root:Rejected login attempt: invalid username="guest'\nWARNING:root:User
 
 ## Automated Detection
 
-| Tool | Version | Check | Description |
-|------|---------|-------|-------------|
-| Bandit | 1.7.5 | Not Available | |
-| CodeQL | Latest | [py-log-injection](https://codeql.github.com/codeql-query-help/python/py-log-injection/) | |
-| Veracode | Latest | CWE 117 | [How to Fix CWE-117](https://community.veracode.com/s/article/How-to-Fix-CWE-117-Improper-Output-Neutralization-for-Logs) |
+|Tool|Version|Checker|Description|
+|:---|:---|:---|:---|
+|Bandit|1.7.4 on Python 3.10.4|B105<br>B106<br>B107|[B105: hardcoded_password_string — Bandit documentation](https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html)<br>[B106: hardcoded_password_funcarg — Bandit documentation](https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html)<br>[B107: hardcoded_password_default — Bandit documentation](https://bandit.readthedocs.io/en/latest/plugins/b107_hardcoded_password_default.html)|
+|sonarsource||RSPEC-2068<br>RSPEC-6437|[Python static code analysis: Hard-coded credentials are security-sensitive (sonarsource.com)](https://rules.sonarsource.com/python/RSPEC-2068)<br>[Credentials should not be hard-coded (sonarsource.com)](https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-6437/)|
+|codeQL|||[Hard-coded credentials — CodeQL query help documentation (github.com)](https://codeql.github.com/codeql-query-help/python/py-hardcoded-credentials/)|
 
 ## Related Guidelines
 
-| Source | Reference |
-|--------|----------|
-| [MITRE CWE](http://cwe.mitre.org/) | Pillar: [CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html) |
-| [MITRE CWE](http://cwe.mitre.org/) | Base: [CWE-117: Improper Output Neutralization for Log](https://cwe.mitre.org/data/definitions/117.html) |
-| [MITRE CWE](http://cwe.mitre.org/) | Base: [CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')](https://cwe.mitre.org/data/definitions/93.html) |
-| [MITRE CWE](http://cwe.mitre.org/) | Variant: [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) |
-| [MITRE CAPEC](http://capec.mitre.org/) | Detailed: [CAPEC-93: Log Injection-Tampering-Forging](https://capec.mitre.org/data/definitions/93.html) |
-| [OWASP Top 10](https://owasp.org/Top10/) | [A09:2021 – Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/) |
-| [OWASP ASVS 4.0](https://owasp.org/) | [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/). See "V16 Security Logging and Error Handling". |
-| [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/index.html) | [OWASP Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) |
-| ISO/IEC TR 24772:2013 | [ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use](https://www.iso.org/standard/61457.html) |
-| NIST SP 800-92 | [NIST SP 800-92 Guide to Computer Security Log Management](https://csrc.nist.gov/pubs/sp/800/92/final) |
+|||
+|:---|:---|
+|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-693: Protection Mechanism Failure (4.12) (mitre.org)](https://cwe.mitre.org/data/definitions/693.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-798: Use of hardcoded credentials](https://cwe.mitre.org/data/definitions/798.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Variant: [CWE-259: Use of hardcoded password](https://cwe.mitre.org/data/definitions/259.html)|
+|[MITRE CWE](http://cwe.mitre.org/)|Variant: [CWE-321: Use of hardcode cryptographic key](https://cwe.mitre.org/data/definitions/321.html)|
+|[SEI CERT Oracle Codign Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[MSC03-J: Never hardcode sensitive information](https://wiki.sei.cmu.edu/confluence/display/java/MSC03-J.+Never+hard+code+sensitive+information)|
 
 ## Bibliography
 
-| Reference | Description |
-|-----------|-------------|
-| [CWE-117] | CWE-117: Improper Output Neutralization for Log [online]. Available from [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html), [Accessed 24 September 2025] |
-| [CWE-93] | CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') [online]. Available from [https://cwe.mitre.org/data/definitions/93.html](https://cwe.mitre.org/data/definitions/93.html), [Accessed 24 September 2025] |
-| [CWE-113] | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') [online]. Available from [https://cwe.mitre.org/data/definitions/113.html](https://cwe.mitre.org/data/definitions/113.html), [Accessed 24 September 2025] |
-| [CAPEC-93] | CAPEC-93: Log Injection-Tampering-Forging [online]. Available from [https://capec.mitre.org/data/definitions/93.html](https://capec.mitre.org/data/definitions/93.html), [Accessed 24 September 2025] |
-| [OWASP A09:2021] | A09:2021 – Security Logging and Monitoring Failures [online]. Available from [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/), [Accessed 24 September 2025] |
-| [OWASP 2025] | OWASP Cheat Sheet Series: Logging Cheat Sheet [online]. Available from [https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html), [Accessed 24 September 2025] [Logging_Cheat_Sheet.html"](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)</a> (see “Event collection” and “Attacks on Logs”). [Accessed 24 September 2025] |
+|||
+|:---|:---|
+| [US Congress 1996] | Health Insurance Portability and Accountability Act (HIPAA) [online].Available from: [https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996](https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996) [accessed 27 February 2025]|
+| [European Parliament 2016] | General Data Protection Regulation (GDPR) [online]. Available from: [https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150) [accessed 27 February 2025]|
+| [CPPA 2025] |DIVISION 3. OBLIGATIONS [1427 - 3273.16] [online]. Available from: [https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150) [accessed 27 February 2025]|
+| [OSSF 2025] | CWE-532: Insertion of Sensitive Information into Log File [online]. Available from: [https://best.openssf.org/Secure-Coding-Guide-for-Python/CWE-664/CWE-532/](https://best.openssf.org/Secure-Coding-Guide-for-Python/CWE-664/CWE-532/) [accessed 27 February 2025]|
