OpenAPI
OpenAPI Queries List¶
This page contains all queries from OpenAPI.
SHARED (V2/V3)¶
Bellow are listed queries related with OpenAPI SHARED (V2/V3):
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Security Field On Operations Has An Empty Array (v2) 5d29effc-5d68-481f-9721-d74e5919226b |
High | Access Control | Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error | Documentation |
Security Field On Operations Has An Empty Array (v3) 663c442d-f918-4f62-b096-0bf5dcbeb655 |
High | Access Control | Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more) | Documentation |
Global Security Field Has An Empty Array (v2) da31d54b-ad54-41dc-95eb-8b3828629213 |
High | Access Control | Security object need to have defined rules in its array and rules should be defined on securityScheme | Documentation |
Global Security Field Has An Empty Array (v3) d674aea4-ba8b-454b-bb97-88a772ea33f0 |
High | Access Control | Security object need to have defined rules in its array and rules should be defined on securityScheme (read more) | Documentation |
No Global And Operation Security Defined (v2) 586abcee-9653-462d-ad7b-2638a32bd6e6 |
High | Access Control | All paths should have security scheme, if it is omitted, global security field should be defined | Documentation |
No Global And Operation Security Defined (v3) 96729c6b-7400-4d9e-9807-17f00cdde4d2 |
High | Access Control | All paths should have security scheme, if it is omitted, global security field should be defined (read more) | Documentation |
Global security field has an empty object (v2) 292919fb-7b26-4454-bee9-ce29094768dd |
High | Access Control | Global security definition must not have empty objects | Documentation |
Global security field has an empty object (v3) 543e38f4-1eee-479e-8eb0-15257013aa0a |
High | Access Control | Global security definition must not have empty objects (read more) | Documentation |
Global Security Field Is Undefined (v2) 74703c89-0ea2-49ab-a7db-bf04f19f5a57 |
High | Access Control | Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions | Documentation |
Global Security Field Is Undefined (v3) 8af270ce-298b-4405-9922-82a10aee7a4f |
High | Access Control | Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more) | Documentation |
Security Field On Operations Has An Empty Object Definition (v2) 74581e3b-1d55-4323-a139-5959a7b3abc5 |
High | Access Control | Security object for operations should not be empty object or has any empty object definition | Documentation |
Security Field On Operations Has An Empty Object Definition (v3) baade968-7467-41e4-bf22-83ca222f5800 |
High | Access Control | Security object for operations should not be empty object or has any empty object definition (read more) | Documentation |
Cleartext API Key In Operation Security (v2) 99733b39-6413-4ed8-8acf-dc7cdc9b4e51 |
High | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
Cleartext API Key In Operation Security (v3) d90d4e40-44c1-4125-87a0-e072c3e195b5 |
High | Access Control | API Keys should not be sent as cleartext over an unencrypted channel (read more) | Documentation |
Array Without Maximum Number of Items (v2) 99eb2c95-2040-4104-9e7c-e16f7474d218 |
High | Insecure Configurations | Array schema/parameter should have the field 'maxItems' set | Documentation |
Array Without Maximum Number of Items (v3) 6998389e-66b2-473d-8d05-c8d71ac4d04d |
High | Insecure Configurations | Array schema should have the field 'maxItems' set (read more) | Documentation |
Array Items Has No Type (v2) 8697a1a4-82c6-4603-8ac8-57529756744e |
High | Insecure Configurations | Schema/Parameter array items type should be defined | Documentation |
Array Items Has No Type (v3) be0e0df7-f3d9-42a1-9b6f-d425f94872c4 |
High | Insecure Configurations | Schema array items type should be defined (read more) | Documentation |
API Key Exposed In Global Security (v2) 533a0d13-6e89-4551-ae33-bce14e5849c1 |
Medium | Access Control | API Keys should not be transported over network | Documentation |
API Key Exposed In Global Security (v3) aecee30b-8ea1-4776-a99c-d6d600f0862f |
Medium | Access Control | API Keys should not be transported over network (read more) | Documentation |
Cleartext API Key In Global Security (v2) 70d3873e-d537-46e5-ac3b-4e48fbdd29b4 |
Medium | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
Cleartext API Key In Global Security (v3) 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c |
Medium | Access Control | API Keys should not be sent as cleartext over an unencrypted channel (read more) | Documentation |
Numeric Schema Without Maximum (v2) 203eee11-15b6-4d47-b888-4c7f534967ee |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. | Documentation |
Numeric Schema Without Maximum (v3) 2ea04bef-c769-409e-9179-ee3a50b5c0ac |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more) | Documentation |
JSON Object Schema Without Properties (v2) 3d28f751-bc18-4f83-ace0-216b6086410b |
Medium | Insecure Configurations | Schema of the JSON object should have properties defined and 'additionalProperties' set to false. | Documentation |
JSON Object Schema Without Properties (v3) 9d967a2b-9d64-41a6-abea-dfc4960299bd |
Medium | Insecure Configurations | Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more) | Documentation |
String Schema with Broad Pattern (v2) e4a019f0-9af3-49c8-bf68-1939a6ff240d |
Medium | Insecure Configurations | String schema should restrict the pattern | Documentation |
String Schema with Broad Pattern (v3) 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c |
Medium | Insecure Configurations | String schema should restrict the pattern (read more) | Documentation |
Maximum Length Undefined (v2) 2ec86e48-ab90-4cb6-a131-0502afd1f442 |
Medium | Insecure Configurations | String schema/parameter/header should have 'maxLength' defined. | Documentation |
Maximum Length Undefined (v3) 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85 |
Medium | Insecure Configurations | String schema should have 'maxLength' defined. (read more) | Documentation |
Numeric Schema Without Minimum (v2) efd1dfc8-da91-4909-a3f3-c23abc5ec799 |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. | Documentation |
Numeric Schema Without Minimum (v3) 181bd815-767e-4e95-a24d-bb3c87328e19 |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more) | Documentation |
Schema Object is Empty (v2) 967575e5-eb44-4c24-aadb-7e33608ed30a |
Medium | Insecure Configurations | The Schema Object should not be empty to avoid accepting any JSON values | Documentation |
Schema Object is Empty (v3) 500ce696-d501-41dd-86eb-eceb011a386f |
Medium | Insecure Configurations | The Schema Object should not be empty to avoid accepting any JSON values (read more) | Documentation |
JSON Object Schema Without Type (v2) 62d52544-82ef-4b75-8308-cad49d50212b |
Medium | Insecure Configurations | Schema of the JSON object should have 'type' defined. | Documentation |
JSON Object Schema Without Type (v3) e2ffa504-d22a-4c94-b6c5-f661849d2db7 |
Medium | Insecure Configurations | Schema of the JSON object should have 'type' defined. (read more) | Documentation |
Numeric Schema Without Format (v2) 3ed8fc82-c2bb-49e0-811f-c53923674c49 |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'format' defined. | Documentation |
Numeric Schema Without Format (v3) fbf699b5-ef74-4542-9cf1-f6eeac379373 |
Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more) | Documentation |
Pattern Undefined (v2) afde15cf-9444-4126-8c62-41cd79db1d1d |
Medium | Insecure Configurations | String schema/parameter/header should have 'pattern' defined. | Documentation |
Pattern Undefined (v3) 00b78adf-b83f-419c-8ed8-c6018441dd3a |
Medium | Insecure Configurations | String schema should have 'pattern' defined. (read more) | Documentation |
Success Response Code Undefined for Patch Operation (v2) f36e87cc-a209-4f37-8571-66833e4aead7 |
Medium | Networking and Firewall | Patch should define at least one success response (200, 201, 202 or 204) | Documentation |
Success Response Code Undefined for Patch Operation (v3) 1908a8ee-927d-4166-8f18-241152170cc1 |
Medium | Networking and Firewall | Patch should define at least one success response (200, 201, 202 or 204) (read more) | Documentation |
Default Response Undefined On Operations (v2) 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f |
Medium | Networking and Firewall | Operations responses should have a default response defined | Documentation |
Default Response Undefined On Operations (v3) 86e3702f-c868-44b2-b61d-ea5316c18110 |
Medium | Networking and Firewall | Operations responses should have a default response defined (read more) | Documentation |
Response on operations that should have a body has undefined schema (v2) 31afbcb7-70e0-48bb-a31a-3374f95cf859 |
Medium | Networking and Firewall | If a response is not head or its code is not 204 or 304, it should have a schema defined | Documentation |
Response on operations that should have a body has undefined schema (v3) a92be1d5-d762-484a-86d6-8cd0907ba100 |
Medium | Networking and Firewall | If a response is not head or its code is not 204 or 304, it should have a schema defined (read more) | Documentation |
Success Response Code Undefined for Put Operation (v2) 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6 |
Medium | Networking and Firewall | Put should define at least one success response (200, 201, 202 or 204) | Documentation |
Success Response Code Undefined for Put Operation (v3) 60b5f56b-66ff-4e1c-9b62-5753e16825bc |
Medium | Networking and Firewall | Put should define at least one success response (200, 201, 202 or 204) (read more) | Documentation |
Success Response Code Undefined for Post Operation (v2) 9fedee41-2e6d-4091-b011-4a16b4c18c70 |
Medium | Networking and Firewall | Post should define at least one success response (200, 201, 202 or 204) | Documentation |
Success Response Code Undefined for Post Operation (v3) f368dd2d-9344-4146-a05b-7c6faa1269ad |
Medium | Networking and Firewall | Post should define at least one success response (200, 201, 202 or 204) (read more) | Documentation |
Success Response Code Undefined for Head Operation (v2) 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a |
Medium | Networking and Firewall | Head should define at least one success response (200 or 202) | Documentation |
Success Response Code Undefined for Head Operation (v3) 3b066059-f411-4554-ac8d-96f32bff90da |
Medium | Networking and Firewall | Head should define at least one success response (200 or 202) (read more) | Documentation |
Success Response Code Undefined for Get Operation (v2) 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63 |
Medium | Networking and Firewall | Get should define at least one success response (200 or 202) | Documentation |
Success Response Code Undefined for Get Operation (v3) b2f275be-7d64-4064-b418-be6b431363a7 |
Medium | Networking and Firewall | Get should define at least one success response (200 or 202) (read more) | Documentation |
Response on operations that should not have a body has declared content (v2) 268defd2-2839-4e15-8cbc-de86eb38c231 |
Medium | Networking and Firewall | If a response is head or its code is 204 or 304, it shouldn't have a schema defined | Documentation |
Response on operations that should not have a body has declared content (v3) 12a7210b-f4b4-47d0-acac-0a819e2a0ca3 |
Medium | Networking and Firewall | If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more) | Documentation |
Response Code Missing (v2) 6e96ed39-bf45-4089-99ba-f1fe7cf6966f |
Medium | Networking and Firewall | 500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. | Documentation |
Response Code Missing (v3) 6c35d2c6-09f2-4e5c-a094-e0e91327071d |
Medium | Networking and Firewall | 500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more) | Documentation |
Success Response Code Undefined for Delete Operation (v2) ad432855-b7fb-4429-92a3-93b5ce34f0b1 |
Medium | Networking and Firewall | Delete should define at least one success response (200, 201, 202 or 204) | Documentation |
Success Response Code Undefined for Delete Operation (v3) 3b497874-ae59-46dd-8d72-1868a3b8f150 |
Medium | Networking and Firewall | Delete should define at least one success response (200, 201, 202 or 204) (read more) | Documentation |
API Key Exposed In Operation Security (v2) 392599e4-a4e2-403d-bc56-3fe05755782d |
Low | Access Control | API Keys should not be transported over network | Documentation |
API Key Exposed In Operation Security (v3) 281b8071-6226-4a43-911d-fec246d422c2 |
Low | Access Control | API Keys should not be transported over network (read more) | Documentation |
Invalid Format (v2) caf1793e-95dd-4b18-8d90-8f3c0ab5bddf |
Low | Insecure Configurations | The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double | Documentation |
Invalid Format (v3) d929c031-078f-4241-b802-e224656ad890 |
Low | Insecure Configurations | The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more) | Documentation |
Invalid Tag External Documentation URL (v2) b4a7d925-738b-4219-99d9-87d6ee262a03 |
Info | Best Practices | Tag External Documentation URL should be a valid URL | Documentation |
Invalid Tag External Documentation URL (v3) 5aea1d7e-b834-4749-b143-2c7ec3bd5922 |
Info | Best Practices | Tag External Documentation URL should be a valid URL (read more) | Documentation |
Header Parameter Named as 'Accept' (v2) 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3 |
Info | Best Practices | The header Parameter should not be named as 'Accept'. If so, it will be ignored. | Documentation |
Header Parameter Named as 'Accept' (v3) f2702af5-6016-46cb-bbc8-84c766032095 |
Info | Best Practices | The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more) | Documentation |
Example Not Compliant With Schema Type (v2) 448db771-06ea-4dee-b48c-1689cbfb4b43 |
Info | Best Practices | Examples values and fields should be compliant with the schema type | Documentation |
Example Not Compliant With Schema Type (v3) 881a6e71-c2a7-4fe2-b9c3-dfcf08895331 |
Info | Best Practices | Examples values and fields should be compliant with the schema type (read more) | Documentation |
Operation Without Successful HTTP Status Code (v2) a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2 |
Info | Best Practices | Operation Object should have at least one successful HTTP status code defined | Documentation |
Operation Without Successful HTTP Status Code (v3) 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd |
Info | Best Practices | Operation Object should have at least one successful HTTP status code defined (read more) | Documentation |
Invalid Operation External Documentation URL (v2) 25635c31-ee32-4708-88e5-fced87516f51 |
Info | Best Practices | Operation External Documentation URL should be a valid URL | Documentation |
Invalid Operation External Documentation URL (v3) 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb |
Info | Best Practices | Operation External Documentation URL should be a valid URL (read more) | Documentation |
Required Property With Default Value (v2) f7ab6c83-ef89-40e1-8a99-32e2599fb665 |
Info | Best Practices | Required properties receive value from requests, which makes unnecessary declare a default value | Documentation |
Required Property With Default Value (v3) 013bdb4b-9246-4248-b0c3-7fb0fee42a29 |
Info | Best Practices | Required properties receive value from requests, which makes unnecessary declare a default value (read more) | Documentation |
Path Without Operation (v2) 609cd557-66b4-41fa-8edd-2abc6c7cfd08 |
Info | Best Practices | Path object should have at least one operation object defined | Documentation |
Path Without Operation (v3) 84c826c9-1893-4b34-8cdd-db97645b4bf3 |
Info | Best Practices | Path object should have at least one operation object defined (read more) | Documentation |
Header Parameter Named as 'Authorization' (v2) e2e00c97-7171-4fb4-b461-d631df9a711c |
Info | Best Practices | The header Parameter should not be named as 'Authorization'. If so, it will be ignored. | Documentation |
Header Parameter Named as 'Authorization' (v3) 8c84f75e-5048-4926-a4cb-33e7b3431300 |
Info | Best Practices | The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more) | Documentation |
Invalid Contact URL (v2) c7000383-16d0-4509-8cd3-585e5ea2e2f2 |
Info | Best Practices | Contact Object URL should be a valid URL | Documentation |
Invalid Contact URL (v3) 332cf2ad-380d-4b90-b436-46f8e635cf38 |
Info | Best Practices | Contact Object URL should be a valid URL (read more) | Documentation |
JSON '$ref' alongside other properties (v2) f34c1c68-4773-4df0-a103-6e2ca32e585f |
Info | Best Practices | Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key | Documentation |
JSON '$ref' alongside other properties (v3) 96beb800-566f-49a9-a0ea-dbdf4bc80429 |
Info | Best Practices | Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more) | Documentation |
Invalid Contact Email (v2) d83bebc8-4e5e-4241-b783-cba9fb5a1c9a |
Info | Best Practices | Contact Object Email should be a valid email | Documentation |
Invalid Contact Email (v3) b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 |
Info | Best Practices | Contact Object Email should be a valid email (read more) | Documentation |
Object Using Enum With Keyword (v2) 7f15962a-d862-451c-ac9b-84ec13747aa6 |
Info | Best Practices | Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords | Documentation |
Object Using Enum With Keyword (v3) 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a |
Info | Best Practices | Schema Object properties should not contain 'enum' and schema keywords (read more) | Documentation |
Invalid Global External Documentation URL (v2) 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28 |
Info | Best Practices | Global External Documentation URL should be a valid URL | Documentation |
Invalid Global External Documentation URL (v3) b2d9dbf6-539c-4374-a1fd-210ddf5563a8 |
Info | Best Practices | Global External Documentation URL should be a valid URL (read more) | Documentation |
Header Response Name Is Invalid (v2) 86733e01-a435-4bd5-a8b0-5108be9dc1e4 |
Info | Best Practices | The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. | Documentation |
Header Response Name Is Invalid (v3) d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd |
Info | Best Practices | The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more) | Documentation |
Header Parameter Named as 'Content-Type' (v2) 51978067-3b22-4c29-aaf3-96bf0bc28897 |
Info | Best Practices | The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. | Documentation |
Header Parameter Named as 'Content-Type' (v3) 72d259ca-9741-48dd-9f62-eb11f2936b37 |
Info | Best Practices | The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more) | Documentation |
Invalid License URL (v2) de2b4910-8484-46d6-a055-dc1e793ee3ff |
Info | Best Practices | License Object URL should be a valid URL | Documentation |
Invalid License URL (v3) 9239c289-9e4c-4d92-8be1-9d506057c971 |
Info | Best Practices | License Object URL should be a valid URL (read more) | Documentation |
Invalid Schema External Documentation URL (v2) f7fa95b7-d819-484c-9a2b-665dd1bba25e |
Info | Best Practices | Schema External Documentation URL should be a valid URL | Documentation |
Invalid Schema External Documentation URL (v3) 6952a7e0-6e48-4285-bbc1-27c64e60f888 |
Info | Best Practices | Schema External Documentation URL should be a valid URL (read more) | Documentation |
Parameter Objects Headers With Duplicated Name (v2) bd2cbef5-62c4-40f1-af07-4b7f9ced6616 |
Info | Structure and Semantics | Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. | Documentation |
Parameter Objects Headers With Duplicated Name (v3) 05505192-ba2c-4a81-9b25-dcdbcc973746 |
Info | Structure and Semantics | Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more) | Documentation |
Property Defining Minimum Greater Than Maximum (v2) b5102ea9-6527-4bb7-94fc-9b4076150e55 |
Info | Structure and Semantics | Property defining minimum has greater value than maximum defined | Documentation |
Property Defining Minimum Greater Than Maximum (v3) ab2af219-cd08-4233-b5a1-a788aac88b51 |
Info | Structure and Semantics | Property defining minimum has greater value than maximum defined (read more) | Documentation |
Responses Object Is Empty (v2) 6172e7ab-d2b7-45f8-a7db-1603931d8ba3 |
Info | Structure and Semantics | Responses Object should not be empty | Documentation |
Responses Object Is Empty (v3) 990eaf09-d6f1-4c3c-b174-a517b1de8917 |
Info | Structure and Semantics | Responses Object should not be empty (read more) | Documentation |
Paths Object is Empty (v2) 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a |
Info | Structure and Semantics | Paths object may be empty due to ACL constraints, meaning they are not exposed | Documentation |
Paths Object is Empty (v3) 815021c8-a50c-46d9-b192-24f71072c400 |
Info | Structure and Semantics | Paths object may be empty due to ACL constraints, meaning they are not exposed (read more) | Documentation |
Non-Array Schema With Items (v2) 9d47956b-29cd-43b1-9e6e-b39a4d484353 |
Info | Structure and Semantics | Non-Array Schema should not have 'items' defined | Documentation |
Non-Array Schema With Items (v3) 20cb3159-b219-496b-8dac-54ae3ab2021a |
Info | Structure and Semantics | Non-Array Schema should not have 'items' defined (read more) | Documentation |
Schema Has A Required Property Undefined (v2) 811762c8-2e99-4f70-88f9-a63875a953b1 |
Info | Structure and Semantics | Schema Object should not be have a required property that is not defined on properties | Documentation |
Schema Has A Required Property Undefined (v3) 2bd608ae-8a1f-457f-b710-c237883cb313 |
Info | Structure and Semantics | Schema Object should not be have a required property that is not defined on properties (read more) | Documentation |
Template Path With No Corresponding Path Parameter (v2) e7656d8d-7288-4bbe-b07b-22b389be75ce |
Info | Structure and Semantics | The template path must have a corresponding path parameter for a given operation | Documentation |
Template Path With No Corresponding Path Parameter (v3) 561710b1-b845-4562-95ce-2397a05ccef4 |
Info | Structure and Semantics | The template path must have a corresponding path parameter for a given operation (read more) | Documentation |
Schema Enum Invalid (v2) 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9 |
Info | Structure and Semantics | The field 'enum' of Schema Object should be consistent with the schema's type | Documentation |
Schema Enum Invalid (v3) 03856cb2-e46c-4daf-bfbf-214ec93c882b |
Info | Structure and Semantics | The field 'enum' of Schema Object should be consistent with the schema's type (read more) | Documentation |
Properties Missing Required Property (v2) 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62 |
Info | Structure and Semantics | Schema Object should have all required properties defined | Documentation |
Properties Missing Required Property (v3) 3fb03214-25d4-4bd4-867c-c2d8d708a483 |
Info | Structure and Semantics | Schema Object should have all required properties defined (read more) | Documentation |
Type Has Invalid Keyword (v2) 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59 |
Info | Structure and Semantics | Schema/Parameter/Header Object define type should not use a keyword of another type | Documentation |
Type Has Invalid Keyword (v3) a9228976-10cf-4b5f-b902-9e962aad037a |
Info | Structure and Semantics | Schema Object define type should not use a keyword of another type (read more) | Documentation |
Path Parameter Not Required (v2) ccd0613f-cb77-4684-a892-183bd2674d12 |
Info | Structure and Semantics | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. | Documentation |
Path Parameter Not Required (v3) 0de50145-e845-47f4-9a15-23bcf2125710 |
Info | Structure and Semantics | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more) | Documentation |
Schema Discriminator Not Required (v2) be6a3722-af60-438c-b1b9-2a03e2958ab7 |
Info | Structure and Semantics | The discriminator property in the Schema Object should be a required property | Documentation |
Schema Discriminator Not Required (v3) b481d46c-9c61-480f-86d9-af07146dc4a4 |
Info | Structure and Semantics | The discriminator property in the Schema Object should be a required property (read more) | Documentation |
Schema Object Properties With Duplicated Keys (v2) ded017bf-fb13-4f8d-868b-84aebcc572ad |
Info | Structure and Semantics | Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' | Documentation |
Schema Object Properties With Duplicated Keys (v3) 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa |
Info | Structure and Semantics | Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more) | Documentation |
Schema Object With Circular Ref (v2) cbff2508-85c9-4448-a8b3-770070edf5ca |
Info | Structure and Semantics | Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties | Documentation |
Schema Object With Circular Ref (v3) 1a1aea94-745b-40a7-b860-0702ea6ee636 |
Info | Structure and Semantics | Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more) | Documentation |
Path Parameter With No Corresponding Template Path (v2) 194ef1f8-360e-4c14-8ed2-e83e2bafa142 |
Info | Structure and Semantics | The path parameter must have a corresponding template path for a given operation | Documentation |
Path Parameter With No Corresponding Template Path (v3) 69d7aefd-149d-47b8-8d89-1c2181a8067b |
Info | Structure and Semantics | The path parameter must have a corresponding template path for a given operation (read more) | Documentation |
OperationId Not Unique (v2) 21245007-91c4-40e5-964e-40c85d1e5aa6 |
Info | Structure and Semantics | OperationId should be unique when defined | Documentation |
OperationId Not Unique (v3) c254adc4-ef25-46e1-8270-b7944adb4198 |
Info | Structure and Semantics | OperationId should be unique when defined (read more) | Documentation |
Default Invalid (v2) 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07 |
Info | Structure and Semantics | The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type | Documentation |
Default Invalid (v3) a96bbc06-8cde-4295-ad3c-ee343a7f658e |
Info | Structure and Semantics | The field 'default' of Schema Object should be consistent with the schema's type (read more) | Documentation |
Schema Discriminator Mismatch Defined Properties (v2) addc0eab-27f6-4c26-8526-d2ccd3732662 |
Info | Structure and Semantics | Schema discriminator values should match defined properties. | Documentation |
Schema Discriminator Mismatch Defined Properties (v3) 40d3df21-c170-4dbe-9c02-4289b51f994f |
Info | Structure and Semantics | Schema discriminator values should match defined properties. (read more) | Documentation |
Responses With Wrong HTTP Status Code (v2) 069a5378-2091-43f0-aa3b-ee8f20996e99 |
Info | Structure and Semantics | HTTP Responses status code should be in range of [200-599] | Documentation |
Responses With Wrong HTTP Status Code (v3) d86655c0-92f6-4ffc-b4d5-5b5775804c27 |
Info | Structure and Semantics | HTTP Responses status code should be in range of [200-599] (read more) | Documentation |
Items Undefined (v2) 3e4d34d2-36cf-4449-976d-6c256db8fc49 |
Info | Structure and Semantics | Schema/Parameter items should be defined when the schema/parameter is set to an array. | Documentation |
Items Undefined (v3) a8e859da-4a43-4e7f-94b8-25d6e3bf8e90 |
Info | Structure and Semantics | Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more) | Documentation |
Property 'allowEmptyValue' Improperly Defined (v2) 0bc1477d-0922-478b-ae16-674a7634a1a8 |
Info | Structure and Semantics | Property 'allowEmptyValue' should be only defined for query parameters and formData parameters | Documentation |
Property 'allowEmptyValue' Improperly Defined (v3) 4bcbcd52-3028-469f-bc14-02c7dbba2df2 |
Info | Structure and Semantics | Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more) | Documentation |
Path Is Ambiguous (v2) b2468463-3ac4-4930-890c-f35b2bf4485d |
Info | Structure and Semantics | All path should be unique, if has more than one operation, all operations should be part of same Path Object | Documentation |
Path Is Ambiguous (v3) 237402e2-c2f0-46c9-9cf5-286160cf7bfc |
Info | Structure and Semantics | All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more) | Documentation |
Path Template is Empty (v2) c201b7ad-6173-4598-a407-5edb04a1bcd7 |
Info | Structure and Semantics | All path templates should not be empty | Documentation |
Path Template is Empty (v3) ae13a37d-943b-47a7-a970-83c8598bcca3 |
Info | Structure and Semantics | All path templates should not be empty (read more) | Documentation |
Schema Discriminator Property Not String (v2) 949376f1-f560-4c6d-a016-63424ca931bb |
Info | Structure and Semantics | Schema discriminator property should be a string | Documentation |
Schema Discriminator Property Not String (v3) dadc2f36-1f5a-46c0-8289-75e626583123 |
Info | Structure and Semantics | Schema discriminator property should be a string (read more) | Documentation |
Parameters Name In Combination Not Unique (v2) ab871897-ec02-4835-9818-702536ee1dda |
Info | Structure and Semantics | Parameters properties 'name' and 'in' should have unique combinations | Documentation |
Parameters Name In Combination Not Unique (v3) f5b2e6af-76f5-496d-8482-8f898c5fdb4a |
Info | Structure and Semantics | Parameters properties 'name' and 'in' should have unique combinations (read more) | Documentation |
3.0¶
Bellow are listed queries related with OpenAPI 3.0:
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Field 'securityScheme' On Components Is Undefined 8db5544e-4874-4baa-9322-e9f75a2d219e |
High | Access Control | Components' securityScheme field must have a valid scheme (read more) | Documentation |
Cleartext Credentials With Basic Authentication For Operation 86b1fa30-9790-4980-994d-a27e0f6f27c1 |
High | Access Control | Cleartext credentials over unencrypted channel should not be accepted for the operation (read more) | Documentation |
Security Scheme Using HTTP Negotiate f525cc92-9050-4c41-a75c-890dc6f64449 |
Medium | Access Control | Security Scheme HTTP should not be using negotiate authentication (read more) | Documentation |
Invalid OAuth2 Token URL (v3) 3ba0cca1-b815-47bf-ac62-1e584eb64a05 |
Medium | Access Control | OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more) | Documentation |
OAuth2 With Implicit Flow 39cb32f2-3a42-4af0-8037-82a7a9654b6c |
Medium | Access Control | OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more) | Documentation |
OAuth2 With Password Flow 3979b0a4-532c-4ea7-86e4-34c090eaa4f2 |
Medium | Access Control | OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more) | Documentation |
Security Scheme HTTP Unknown Scheme 06764426-3c56-407e-981f-caa25db1c149 |
Medium | Access Control | Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more) | Documentation |
Security Scheme Using HTTP Digest a4247b11-890b-45df-bf42-350a7a3af9be |
Medium | Access Control | Security Scheme HTTP should not be using digest authentication (read more) | Documentation |
Invalid OAuth2 Authorization URL (v3) 52c0d841-60d6-4a81-88dd-c35fef36d315 |
Medium | Access Control | The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more) | Documentation |
Security Scheme Using HTTP Basic 68e5fcac-390c-4939-a373-6074b7be7c71 |
Medium | Access Control | Security Scheme HTTP should not be using basic authentication (read more) | Documentation |
Implicit Flow in OAuth2 (v3) 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a |
Medium | Access Control | There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more) | Documentation |
Path Server Object Uses HTTP (v3) 9670f240-7b4d-4955-bd93-edaa9fa38b58 |
Medium | Encryption | The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more) | Documentation |
Global Server Object Uses HTTP 2d8c175a-6d90-412b-8b0e-e034ea49a1fe |
Medium | Encryption | Global server object URL should use 'https' protocol instead of 'http' (read more) | Documentation |
Parameter Object Without Schema 8fe1846f-52cc-4413-ace9-1933d7d23672 |
Medium | Insecure Configurations | The Parameter Object should have the attribute 'schema' defined (read more) | Documentation |
Additional Properties Too Restrictive a19c3bbd-c056-40d7-9e1c-eeb0634e320d |
Medium | Insecure Configurations | Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more) | Documentation |
Additional Properties Too Permissive 9f88c88d-824d-4d9a-b985-e22977046042 |
Medium | Insecure Configurations | Objects should not accept 'additionalProperties' if it is possible (read more) | Documentation |
Media Type Object Without Schema f79b9d26-e945-44e7-98a1-b93f0f7a68a0 |
Medium | Insecure Configurations | The Media Type Object should have the attribute 'schema' defined (read more) | Documentation |
Header Object Without Schema 50de3b5b-6465-4e06-a9b0-b4c2ba34326b |
Medium | Networking and Firewall | The header object should have schema defined (read more) | Documentation |
Success Response Code Undefined for Trace Operation 105e20dd-8449-4d71-95c6-d5dac96639af |
Medium | Networking and Firewall | Trace should define the '200' successful code (read more) | Documentation |
Undefined Scope 'securityScheme' On 'security' Field On Operations 462d6a1d-fed9-4d75-bb9e-3de902f35e6e |
Low | Access Control | Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more) | Documentation |
Global Security Scheme Using Basic Authentication 77276d82-4f45-4cf1-8e2b-4d345b936228 |
Low | Access Control | A security scheme is allowing basic authentication credentials to be transported over network (read more) | Documentation |
Undefined Scope 'securityScheme' On Global 'security' Field 23a9e2d9-8738-4556-a71c-2802b6ffa022 |
Low | Access Control | Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more) | Documentation |
Security Scheme Using Oauth 1.0 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3 |
Low | Access Control | Oauth 1.0 is deprecated, OAuth2 should be used instead (read more) | Documentation |
API Key Exposed In Global Security Scheme 40e1d1bf-11a9-4f63-a3a2-a8b84c602839 |
Low | Access Control | API Keys should not be transported over network (read more) | Documentation |
Property 'explode' of Encoding Object Ignored a4dd69b8-49fa-45d2-a060-c76655405b05 |
Info | Best Practices | Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more) | Documentation |
Property 'allowReserved' of Encoding Object Ignored 4190dda7-af03-4cf0-a128-70ac1661ca09 |
Info | Best Practices | Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more) | Documentation |
Components Example Definition Is Unused b05bb927-2df5-43cc-8d7b-6825c0e71625 |
Info | Best Practices | Components examples definitions should be referenced or removed from Open API definition (read more) | Documentation |
Encoding Header 'Content-Type' Improperly Defined 4cd8de87-b595-48b6-ab3c-1904567135ab |
Info | Best Practices | Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more) | Documentation |
Components Link Definition Is Unused c19779a9-5774-4d2f-a3a1-a99831730375 |
Info | Best Practices | Components links definitions should be referenced or removed from Open API definition (read more) | Documentation |
Components Schema Definition Is Unused 962fa01e-b791-4dcc-b04a-4a3e7389be5e |
Info | Best Practices | Components schemas definitions should be referenced or removed from Open API definition (read more) | Documentation |
Property 'style' of Encoding Object Ignored d3ea644a-9a5c-4fee-941f-f8a6786c0470 |
Info | Best Practices | Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more) | Documentation |
Property 'allowEmptyValue' Ignored 59c2f769-7cc2-49c8-a3de-4e211135cfab |
Info | Best Practices | Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more) | Documentation |
Components Header Definition Is Unused a68da022-e95a-4bc2-97d3-481e0bd6d446 |
Info | Best Practices | Components headers definitions should be referenced or removed from Open API definition (read more) | Documentation |
Components Response Definition Is Unused 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae |
Info | Best Practices | Components responses definitions should be referenced or removed from Open API definition (read more) | Documentation |
Unknown Prefix (v3) a5375be3-521c-43bb-9eab-e2432e368ee4 |
Info | Best Practices | The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more) | Documentation |
Components Parameter Definition Is Unused 698a464e-bb3e-4ba8-ab5e-e6599b7644a0 |
Info | Best Practices | Components parameters definitions should be referenced or removed from Open API definition (read more) | Documentation |
Components Request Body Definition Is Unused 6b76f589-9713-44ab-97f5-59a3dba1a285 |
Info | Best Practices | Components request bodies definitions should be referenced or removed from Open API definition (read more) | Documentation |
Invalid Media Type Value (v3) cf4a5f45-a27b-49df-843a-9911dbfe71d4 |
Info | Best Practices | The Media Type value should match the following format: |
Documentation |
Components Callback Definition Is Unused d15db953-a553-4b8a-9a14-a3d62ea3d79d |
Info | Best Practices | Components callbacks definitions should be referenced or removed from Open API definition (read more) | Documentation |
Parameter Object With Undefined Type 46facedc-f243-4108-ab33-583b807d50b0 |
Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property (read more) | Documentation |
Callback JSON Reference Does Not Exists f29904c8-6041-4bca-b043-dfa0546b8079 |
Info | Structure and Semantics | Callback reference should exists on components field (read more) | Documentation |
Server URL Not Absolute a0bf7382-5d5a-4224-924c-3db8466026c9 |
Info | Structure and Semantics | The Server URL should be an absolute URL (read more) | Documentation |
Header JSON Reference Does Not Exists 376c9390-7e9e-4cb8-a067-fd31c05451fd |
Info | Structure and Semantics | Header reference should exists on components field (read more) | Documentation |
Link Object With Both 'operationId' And 'operationRef' 60fb6621-9f02-473b-9424-ba9a825747d3 |
Info | Structure and Semantics | Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more) | Documentation |
Security Operation Field Undefined 20a482d5-c5d9-4a7a-b7a4-60d0805047b4 |
Info | Structure and Semantics | Security operation field should be defined in '#/components/securitySchemes' (read more) | Documentation |
Object Without Required Property (v3) d172a060-8569-4412-8045-3560ebd477e8 |
Info | Structure and Semantics | OpenAPI Object should contain all of its required fields (read more) | Documentation |
Invalid Content Type For Multiple Files Upload 26f06397-36d8-4ce7-b993-17711261d777 |
Info | Structure and Semantics | Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more) | Documentation |
Link Object Incorrect Ref b9db8a10-020c-49ca-88c6-780e5fdb4328 |
Info | Structure and Semantics | Link object reference must always point to '#/components/links' (read more) | Documentation |
Response JSON Reference Does Not Exists (v3) 7a01dfbd-da62-4165-aed7-71349ad42ab4 |
Info | Structure and Semantics | Response reference should exists on components field (read more) | Documentation |
Callback Object With Incorrect Ref ba066cda-e808-450d-92b6-f29109754d45 |
Info | Structure and Semantics | Callback Object reference must always point to '#/components/callbacks' (read more) | Documentation |
Schema JSON Reference Does Not Exists (v3) 015eac96-6313-43c0-84e5-81b1374fa637 |
Info | Structure and Semantics | Schema reference should exists on components field (read more) | Documentation |
Components Object Fixed Field Key Improperly Named 151331e2-11f4-4bb6-bd35-9a005e695087 |
Info | Structure and Semantics | Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: ^[a-zA-Z0-9\.\-_]+$ (read more) |
Documentation |
Unknown Property (v3) fb7d81e7-4150-48c4-b914-92fc05da6a2f |
Info | Structure and Semantics | All properties defined in OpenAPI objects should be known (read more) | Documentation |
Parameter Object Content With Multiple Entries 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df |
Info | Structure and Semantics | The map content property of the parameter object should only contain one entry (read more) | Documentation |
Encoding Map Key Mismatch Schema Defined Properties cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b |
Info | Structure and Semantics | Encoding Map Key should be set in schema defined properties (read more) | Documentation |
Example JSON Reference Outside Components Examples bac56e3c-1f71-4a74-8ae6-2fba07efcddb |
Info | Structure and Semantics | Reference to examples should point to #/components/examples (read more) | Documentation |
Empty Array 5915c20f-dffa-4cee-b5d4-f457ddc0151a |
Info | Structure and Semantics | All array fields should not be empty (read more) | Documentation |
Security Requirement Object With Wrong Scopes 37140f7f-724a-4c87-a536-e9cee1d61533 |
Info | Structure and Semantics | Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more) | Documentation |
Example JSON Reference Does Not Exists 6a2c219f-da5e-4745-941e-5ea8cde23356 |
Info | Structure and Semantics | Example reference should exists on components field (read more) | Documentation |
Request Body Object With Incorrect Media Type 58f06434-a88c-4f74-826c-db7e10cc7def |
Info | Structure and Semantics | The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more) | Documentation |
Parameter JSON Reference Does Not Exists (v3) 2e275f16-b627-4d3f-ae73-a6153a23ae8f |
Info | Structure and Semantics | Parameter reference should exists on components field (read more) | Documentation |
Link Object OperationId Does Not Target Operation Object c5bb7461-aa57-470b-a714-3bc3d74f4669 |
Info | Structure and Semantics | Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more) | Documentation |
Response Object With Incorrect Ref (v3) b3871dd8-9333-4d6c-bd52-67eb898b71ab |
Info | Structure and Semantics | Response Object reference must always point to '#/components/responses' (read more) | Documentation |
Security Field Undefined ab1263c2-81df-46f0-9f2c-0b62fdb68419 |
Info | Structure and Semantics | Security field should be defined in '#/components/securitySchemes' (read more) | Documentation |
Header Object With Incorrect Ref 2d6646f4-2946-420f-8c14-3232d49ae0cb |
Info | Structure and Semantics | Header Object reference must always point to '#/components/headers' (read more) | Documentation |
Property 'allowReserved' Improperly Defined 7f203940-39c4-4ea7-91ee-7aba16bca9e2 |
Info | Structure and Semantics | Property 'allowReserved' should be only defined for query parameters (read more) | Documentation |
Schema With Both ReadOnly And WriteOnly d2361d58-361c-49f0-9e50-b957fd608b29 |
Info | Structure and Semantics | Schema should not have both 'writeOnly' and 'readOnly' set to true (read more) | Documentation |
Link JSON Reference Does Not Exists 801f0c6a-a834-4467-89c6-ddecffb46b5a |
Info | Structure and Semantics | Link reference should exists on components field (read more) | Documentation |
Parameter Object With Incorrect Ref (v3) d40f27e6-15fb-4b56-90f8-fc0ff0291c51 |
Info | Structure and Semantics | Parameter Object reference must always point to '#/components/parameters' (read more) | Documentation |
Server URL Uses Undefined Variables 8d0921d6-4131-461f-a253-99e873f8f77e |
Info | Structure and Semantics | Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more) | Documentation |
Request Body With Incorrect Ref 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d |
Info | Structure and Semantics | Request Body reference must always point to '#/components/RequestBodies' (read more) | Documentation |
Request Body JSON Reference Does Not Exists ca02f4e8-d3ae-4832-b7db-bb037516d9e7 |
Info | Structure and Semantics | Request Body reference should exists on components field (read more) | Documentation |
Server Object Variable Not Used 8aee4754-970d-4c5f-8142-a49dfe388b1a |
Info | Structure and Semantics | Every defined Server Variable Object should be used in a Service URL. (read more) | Documentation |
Servers Array Undefined c66ebeaa-676c-40dc-a3ff-3e49395dcd5e |
Info | Structure and Semantics | The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more) | Documentation |
Schema Object Incorrect Ref (v3) 4cac7ace-b0fb-477d-830d-65395d9109d9 |
Info | Structure and Semantics | Schema Object reference must always point to '#/components/schemas' (read more) | Documentation |
Parameter Object With Schema And Content 31dd6fc0-f274-493b-9614-e063086c19fc |
Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more) | Documentation |
2.0¶
Bellow are listed queries related with OpenAPI 2.0:
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Security Definitions Undefined or Empty e3f026e8-fdb4-4d5a-bcfd-bd94452073fe |
High | Access Control | Security Definitions Object should be set and not empty (read more) | Documentation |
Security Requirement Not Defined In Security Definition a599b0d1-ff89-4cb8-9ece-9951854c06f6 |
High | Structure and Semantics | All security requirement objects must be defined in 'securityDefinitions' (read more) | Documentation |
Non OAuth2 Security Requirement Defining OAuth2 Scopes ba239cb9-f342-4c20-812d-7b5a2aa6969e |
High | Structure and Semantics | If the security scheme is not of type 'oauth2', the array value must be empty (read more) | Documentation |
Invalid OAuth2 Token URL (v2) 274f910a-0665-4f08-b66d-7058fe927dba |
Medium | Access Control | OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more) | Documentation |
Security Definitions Allows Password Flow 773116aa-2e6d-416f-bd85-f0301cc05d76 |
Medium | Access Control | Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more) | Documentation |
Operation Using Password Flow 2e44e632-d617-43cb-b294-6bfe72a08938 |
Medium | Access Control | Operation Object should not use 'password' Flow in OAuth2 authentication (read more) | Documentation |
Invalid OAuth2 Authorization URL (v2) 33d96c65-977d-4c33-943f-440baca49185 |
Medium | Access Control | The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more) | Documentation |
Global Security Using Password Flow 2da46be4-4317-4650-9285-56d7103c4f93 |
Medium | Access Control | Security should not use 'password' Flow in OAuth2 authentication (read more) | Documentation |
Implicit Flow in OAuth2 (v2) e9817ad8-a8c9-4038-8a2f-db0e6e7b284b |
Medium | Access Control | There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more) | Documentation |
Schemes Uses HTTP a46928f1-43d7-4671-94e0-2dd99746f389 |
Medium | Encryption | Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more) | Documentation |
Path Scheme Accepts HTTP (v2) a6847dc6-f4ea-45ac-a81f-93291ae6c573 |
Medium | Encryption | The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more) | Documentation |
Global Schemes Uses HTTP f30ee711-0082-4480-85ab-31d922d9a2b2 |
Medium | Encryption | Global Schemes should use 'https' protocol instead of 'http' (read more) | Documentation |
Operation Object Without 'produces' be3e170e-1572-461e-a8b6-d963def581ec |
Medium | Insecure Configurations | Operation Object should have 'produces' feild defined for 'GET'operation (read more) | Documentation |
Operation Object Without 'consumes' 0c79e50e-b3cf-490c-b8f6-587c644d4d0c |
Medium | Insecure Configurations | Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more) | Documentation |
Undefined Scope 'securityDefinition' On 'security' Field On Operations 3847280c-9193-40bc-8009-76168e822ce2 |
Low | Access Control | Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more) | Documentation |
Undefined Scope 'securityDefinition' On Global 'security' Field 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f |
Low | Access Control | Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more) | Documentation |
Operation Using Basic Auth ceefb058-8065-418f-9c4c-584a78c7e104 |
Low | Access Control | Operation Object should not use basic authentication (read more) | Documentation |
Security Definitions Using Basic Auth 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8 |
Low | Access Control | Security Definition Object should not use basic authentication (read more) | Documentation |
Operation Using Implicit Flow f42dfe7e-787d-4478-a75e-a5f3d8a2269e |
Low | Access Control | Operation Object should not use implicit flow (read more) | Documentation |
Operation Summary Too Long d47940ca-5970-45cc-bdd1-4d81398cee1f |
Low | Best Practices | Operation summary should be short (less than 120 characters) (read more) | Documentation |
Global Responses Definition Not Being Used 0b76d993-ee52-43e0-8b39-3787d2ddabf1 |
Info | Best Practices | All global responses definitions should be in use (read more) | Documentation |
Global Schema Definition Not Being Used 6d2e0790-cc3d-4c74-b973-d4e8b09f4455 |
Info | Best Practices | All global schemas definitions should be in use (read more) | Documentation |
Constraining Enum Property be1d8733-3731-40c7-a845-734741c6871d |
Info | Best Practices | There is a constraining keyword in a property which is already restricted by enum values (read more) | Documentation |
Global Parameter Definition Not Being Used b30981fa-a12e-49c7-a5bb-eeafb61d0f0f |
Info | Best Practices | All global parameters definitions should be in use (read more) | Documentation |
Unknown Prefix (v2) 3b615f00-c443-4ba9-acc4-7c308716917d |
Info | Best Practices | The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more) | Documentation |
Schema with 'additionalProperties' set as Boolean 3a01790c-ebee-4da6-8fd3-e78657383b75 |
Info | Best Practices | The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more) | Documentation |
Invalid Media Type Value (v2) f985a7d2-d404-4a7f-9814-f645f791e46e |
Info | Best Practices | The Media Type value should match the following format: |
Documentation |
Multiple Body Parameters In The Same Operation b90033cf-ad9f-4fb9-acd1-1b9d6d278c87 |
Info | Structure and Semantics | Only one body parameter is allowed on operation's parameters type field (read more) | Documentation |
Host With Invalid Pattern 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0 |
Info | Structure and Semantics | Host field should be an IP or a valid host name (read more) | Documentation |
Non Body Parameter Without Schema 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951 |
Info | Structure and Semantics | The Body Parameter Object should have the attribute 'schema' defined (read more) | Documentation |
Object Without Required Property (v2) 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 |
Info | Structure and Semantics | OpenAPI Object should contain all of its required fields (read more) | Documentation |
Parameter File Type Not In 'formData' c3cab8c4-6c52-47a9-942b-c27f26fbd7d2 |
Info | Structure and Semantics | The In field of Parameter Object must be 'formData' when type is 'file' (read more) | Documentation |
Responses JSON Reference Does Not Exists (v2) e9db5fb4-6a84-4abb-b4af-3b94fbdace6d |
Info | Structure and Semantics | Responses reference should exist on responses definition field (read more) | Documentation |
Body Parameter Without Schema ed48229d-d43e-4da7-b453-5f98d964a57a |
Info | Structure and Semantics | The Body Parameter Object should have the attribute 'schema' defined (read more) | Documentation |
Property Not Unique 750b40be-4bac-4f59-bdc4-1ca0e6c3450e |
Info | Structure and Semantics | Every defined property must be unique throughout the whole API (read more) | Documentation |
Schema JSON Reference Does Not Exists (v2) 98295b32-ec09-4b5b-89a9-39853197f914 |
Info | Structure and Semantics | Schema reference should exists on definitions field (read more) | Documentation |
Unknown Property (v2) 429b2106-ba37-43ba-9727-7f699cc611e1 |
Info | Structure and Semantics | All properties defined in OpenAPI objects should be known (read more) | Documentation |
File Parameter With Wrong Consumes Property 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a |
Info | Structure and Semantics | Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more) | Documentation |
Operation Object Parameters With 'body' And 'formatData' locations eb3f9744-d24e-4614-b1ff-2a9514eca21c |
Info | Structure and Semantics | Operation object parameters should not have both 'body' and 'formatData' locations (read more) | Documentation |
Body Parameter With Wrong Property c38d630d-a415-4e3e-bac2-65475979ba88 |
Info | Structure and Semantics | The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more) | Documentation |
Parameter JSON Reference Does Not Exists (v2) fb889ae9-2d16-40b5-b41f-9da716c5abc1 |
Info | Structure and Semantics | Parameter reference should exist on parameters definition field (read more) | Documentation |
Multi 'collectionformat' Not Valid For 'in' Parameter 750f6448-27c0-49f8-a153-b81735c1e19c |
Info | Structure and Semantics | When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more) | Documentation |
Response Object With Incorrect Ref (v2) bccfa089-89e4-47e0-a0e5-185fe6902220 |
Info | Structure and Semantics | Response Object reference must always point to '#/responses' (read more) | Documentation |
Parameter Object With Incorrect Ref (v2) 2596545e-1757-4ff7-a15a-8a9a180a42f3 |
Info | Structure and Semantics | Parameter Object reference must always point to '#/parameters' (read more) | Documentation |
Operation Example Mismatch Produces MimeType 2cf35b40-ded3-43d6-9633-c8dcc8bcc822 |
Info | Structure and Semantics | Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more) | Documentation |
BasePath With Wrong Format b4803607-ed72-4d60-99e2-3fa6edf471c6 |
Info | Structure and Semantics | The 'basePath' value format must match the pattern '^/' (read more) | Documentation |
Schema Object Incorrect Ref (v2) 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283 |
Info | Structure and Semantics | Schema Object reference must always point to '#/definitions' (read more) | Documentation |