no-dynamic-dependency-loading
The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:
Security rule for mobile applications
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-494 OWASP:A08 CVSS:8.1 | Download of Code Without Integrity Check detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A08_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-494 OWASP:A08 CVSS:8.1 |
| Issue Description | Specific vulnerability | Download of Code Without Integrity Check detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
This rule security rule for mobile applications.
OWASP Mobile Top 10: Mobile
CWE: CWE-494
Severity: error
Examples
❌ Incorrect
// Insecure pattern✅ Correct
// Secure patternWhen Not To Use It
This rule should be enabled for all mobile and web applications to ensure security best practices.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
Related Rules
- See other mobile security rules in this plugin
Category: Mobile Security
Type: Problem
Recommended: Yes