OpenAPI Queries List
This page contains all queries from OpenAPI.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Security Field On Operations Has An Empty Array 663c442d-f918-4f62-b096-0bf5dcbeb655 |
High | Access Control | Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error | Documentation |
| Global Security Field Has An Empty Array d674aea4-ba8b-454b-bb97-88a772ea33f0 |
High | Access Control | Security object need to have defined rules in its array and rules should be defined on securityScheme | Documentation |
| Security Field On Operations Has An Empty Object Definition baade968-7467-41e4-bf22-83ca222f5800 |
High | Access Control | Security object for operations should not be empty object or has any empty object definition | Documentation |
| Global Security Field Is Undefined 8af270ce-298b-4405-9922-82a10aee7a4f |
High | Access Control | Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes | Documentation |
| Field 'securityScheme' On Components Is Undefined 8db5544e-4874-4baa-9322-e9f75a2d219e |
High | Access Control | Components' securityScheme field must have a valid scheme | Documentation |
| Global security field has an empty object 543e38f4-1eee-479e-8eb0-15257013aa0a |
High | Access Control | Global security definition must not have empty objects | Documentation |
| No Global And Operation Security Defined 96729c6b-7400-4d9e-9807-17f00cdde4d2 |
High | Access Control | All paths should have security scheme, if it is omitted, global security field should be defined | Documentation |
| Implicit Flow in OAuth2 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a |
Medium | Access Control | There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated | Documentation |
| Invalid OAuth2 Authorization URL 52c0d841-60d6-4a81-88dd-c35fef36d315 |
Medium | Access Control | The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL | Documentation |
| Invalid OAuth2 Token URL 3ba0cca1-b815-47bf-ac62-1e584eb64a05 |
Medium | Access Control | OAuth2 security scheme flow requires a valid URL in the tokenUrl field | Documentation |
| Path Server Object Uses HTTP 9670f240-7b4d-4955-bd93-edaa9fa38b58 |
Medium | Encryption | The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection | Documentation |
| Global Server Object Uses HTTP 2d8c175a-6d90-412b-8b0e-e034ea49a1fe |
Medium | Encryption | Global server object URL should use 'https' protocol instead of 'http' | Documentation |
| Success Response Code Defined for Patch Operation 1908a8ee-927d-4166-8f18-241152170cc1 |
Medium | Networking and Firewall | Patch should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Defined for Put Operation 60b5f56b-66ff-4e1c-9b62-5753e16825bc |
Medium | Networking and Firewall | Put should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Defined for Delete Operation 3b497874-ae59-46dd-8d72-1868a3b8f150 |
Medium | Networking and Firewall | Delete should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Defined for Post Operation f368dd2d-9344-4146-a05b-7c6faa1269ad |
Medium | Networking and Firewall | Post should define at least one success response (200, 201, 202 or 204) | Documentation |
| Undefined Scope 'securityScheme' On Global 'security' Field 23a9e2d9-8738-4556-a71c-2802b6ffa022 |
Low | Access Control | Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker | Documentation |
| Undefined Scope 'securityScheme' On 'security' Field On Operations 462d6a1d-fed9-4d75-bb9e-3de902f35e6e |
Low | Access Control | Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker | Documentation |
| Invalid Contact Email b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 |
Info | Best Practices | Contact Object Email should be a valid email | Documentation |
| Invalid Contact URL 332cf2ad-380d-4b90-b436-46f8e635cf38 |
Info | Best Practices | Contact Object URL should be a valid URL | Documentation |
| Invalid Schema External Documentation URL 6952a7e0-6e48-4285-bbc1-27c64e60f888 |
Info | Best Practices | Schema External Documentation URL should be a valid URL | Documentation |
| Invalid Operation External Documentation URL 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb |
Info | Best Practices | Operation External Documentation URL should be a valid URL | Documentation |
| Invalid Tag External Documentation URL 5aea1d7e-b834-4749-b143-2c7ec3bd5922 |
Info | Best Practices | Tag External Documentation URL should be a valid URL | Documentation |
| Response Object With Incorrect Ref b3871dd8-9333-4d6c-bd52-67eb898b71ab |
Info | Structure and Semantics | Response Object reference must always point to '#components/responses' | Documentation |
| Servers Array Undefined c66ebeaa-676c-40dc-a3ff-3e49395dcd5e |
Info | Structure and Semantics | The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. | Documentation |
| Path Parameter Not Required 0de50145-e845-47f4-9a15-23bcf2125710 |
Info | Structure and Semantics | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. | Documentation |
| Server URL Not Absolute a0bf7382-5d5a-4224-924c-3db8466026c9 |
Info | Structure and Semantics | The Server URL should be an absolute URL | Documentation |
| Invalid Content Type For Multiple Files Upload 26f06397-36d8-4ce7-b993-17711261d777 |
Info | Structure and Semantics | Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) | Documentation |
| Request Body With Incorrect Ref 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d |
Info | Structure and Semantics | Request Body reference must always point to '#components/RequestBodies' | Documentation |
| Schema Discriminator Not Required b481d46c-9c61-480f-86d9-af07146dc4a4 |
Info | Structure and Semantics | The discriminator property in the Schema Object should be a required property | Documentation |
| Responses With Wrong HTTP Status Code d86655c0-92f6-4ffc-b4d5-5b5775804c27 |
Info | Structure and Semantics | HTTP Responses status code should be in range of [200-599] | Documentation |
| Parameter Object With Schema And Content 31dd6fc0-f274-493b-9614-e063086c19fc |
Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive | Documentation |
| Parameter Objects Headers With Duplicated Name 05505192-ba2c-4a81-9b25-dcdbcc973746 |
Info | Structure and Semantics | Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. | Documentation |
| Paths Object is Empty 815021c8-a50c-46d9-b192-24f71072c400 |
Info | Structure and Semantics | Paths object may be empty due to ACL constraints, meaning they are not exposed | Documentation |
| Parameter Object With Undefined Type 46facedc-f243-4108-ab33-583b807d50b0 |
Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property | Documentation |
| Parameter Object With Incorrect Ref d40f27e6-15fb-4b56-90f8-fc0ff0291c51 |
Info | Structure and Semantics | Parameter Object reference must always point to '#components/parameters' | Documentation |
| Link Object OperationId Does Not Target Operation Object c5bb7461-aa57-470b-a714-3bc3d74f4669 |
Info | Structure and Semantics | Link object 'OperationId' should target an existing operation object in the OpenAPI definition | Documentation |