mcp-server-semgrep/semgrep-rules/java/lang/security/audit/xss/jsp/no-scriptlets.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: no-scriptlets
  message: >-
    JSP scriptlet detected. Scriptlets are difficult to use securely and
    are considered bad practice. See https://stackoverflow.com/a/3180202.
    Instead, consider migrating to JSF or using the Expression Language
    '${...}' with the escapeXml function in your JSP files.
  metadata:
    owasp:
    - A03:2021 - Injection
    cwe:
    - 'CWE-116: Improper Encoding or Escaping of Output'
    references:
    - https://stackoverflow.com/a/3180202
    - https://stackoverflow.com/a/4948856
    category: security
    technology:
    - jsp
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  pattern-regex: |-
    \<\%[^\@].*
  paths:
    include:
    - '*.jsp'
  languages: [regex]
  severity: WARNING