96
Total V-IDs covered
All categories
96 V-IDs across CAT I / II / III - full Application Security & Development STIG coverage with mobile extensions Coverity doesn't ship. The DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) for Application Security & Development is the canonical hardening checklist for software running in US Department of Defense networks. PhantomYerra ships every V-ID natively across CAT I (Critical), CAT II (High), and CAT III (Medium).
The Application Security & Development STIG defines hardening requirements for software developed for, or deployed to, US Department of Defense networks. Each requirement is identified by a V-ID (Vulnerability ID, format V-NNNNNN) and assigned a severity category. PhantomYerra emits findings tagged with the V-ID directly so the resulting evidence is auditor-ready out of the box.
DISA STIG findings are graded by impact-to-mission. CAT I findings indicate a direct vulnerability that an adversary could exploit to compromise the system; CAT II describes weaknesses that can directly lead to a CAT I if combined with other findings; CAT III describes hardening items that reduce attack surface or aid defenders. PhantomYerra grades every finding with the official STIG category - no manual annotation required.
Representative DISA STIG AppDev V-IDs with the YerraSAST rule that fires and the CWE / OWASP cross-tag. Full mapping is in resources/compliance/DISA_STIG_appdev.json.
| V-ID | Title | CAT | YerraSAST rule | CWE |
|---|---|---|---|---|
| V-222400 | Application must protect from Cross-Site Scripting (XSS) | CAT I | DAST-XSS-reflected, SAST-OUTPUT-encode | CWE-79 |
| V-222402 | Application must protect from command-injection | CAT I | SAST-CMD-inject, DAST-shell-inject | CWE-78 |
| V-222406 | Application must enforce approved authorisations | CAT I | DAST-IDOR, SAST-AUTHZ-missing | CWE-285 |
| V-222408 | Application must implement multi-factor authentication for network access | CAT II | SAST-AUTH-mfa-missing | CWE-308 |
| V-222412 | Application must use FIPS-validated cryptographic modules | CAT I | SAST-CRYPTO-non-fips, SAST-CRYPTO-md5, SAST-CRYPTO-des | CWE-327 |
| V-222414 | Application must use approved random-number generators | CAT II | SAST-CRYPTO-weak-prng | CWE-330 |
| V-222416 | Application must protect the confidentiality of stored passwords | CAT I | SAST-CRYPTO-plain-password, SAST-CRYPTO-weak-hash | CWE-256, CWE-916 |
| V-222418 | Application must protect from SQL Injection | CAT I | SAST-SQLI, DAST-SQLI-boolean, DAST-SQLI-time | CWE-89 |
| V-222420 | Application must protect from Cross-Site Request Forgery (XSRF) | CAT II | DAST-CSRF, SAST-CSRF-missing | CWE-352 |
| V-222422 | Application must prevent unauthorised information disclosure via error messages | CAT II | SAST-ERR-stack-trace, DAST-ERR-leak | CWE-209 |
| V-222425 | Application must implement TLS for all sessions | CAT I | SAST-TLS-missing, DAST-TLS-mixed | CWE-319 |
| V-222428 | Application must validate digital signatures on signed content | CAT II | SAST-SIG-missing-verify, SAST-JWT-no-verify | CWE-345, CWE-347 |
| V-222430 | Application must protect the confidentiality of transmitted information | CAT I | SAST-PII-plain-transport | CWE-319 |
| V-222432 | Application must use only approved cryptographic algorithms | CAT I | SAST-CRYPTO-banned-algo | CWE-327 |
| V-222435 | Application must terminate session after period of inactivity | CAT II | SAST-SESSION-no-timeout | CWE-613 |
| V-222438 | Application must enforce account lockout after failed login attempts | CAT II | DAST-AUTH-no-lockout | CWE-307 |
| V-222440 | Application must protect against brute-force attacks | CAT II | DAST-AUTH-no-throttle | CWE-307 |
| V-222445 | Application must obscure feedback during authentication | CAT II | DAST-AUTH-user-enum | CWE-204, CWE-203 |
| V-222448 | Application must log security-relevant events | CAT II | SAST-LOG-missing-audit | CWE-778 |
| V-222452 | Application must protect audit information from unauthorised access | CAT II | SAST-LOG-world-readable | CWE-532 |
| V-222455 | Application must not log credentials | CAT I | SAST-LOG-secret-leak | CWE-532, CWE-209 |
| V-222470 | Application must implement DoD-approved CA path validation | CAT II | SAST-TLS-no-verify, SAST-TLS-pinning-missing | CWE-295 |
22 V-IDs shown of the 96 total. The full mapping is shipped as the JSON pack inside PhantomYerra and is regenerated on every release to match the latest DISA STIG benchmark publication.
The DISA STIG is language-neutral - it describes outcomes, not implementation patterns. PhantomYerra's per-language SAST scanners each implement the patterns that satisfy or violate each V-ID for their language. The same V-ID maps to different rule IDs in C versus Java versus Python - PhantomYerra emits all of them tagged identically.
| Language | Native rule count | V-IDs covered |
|---|---|---|
| C | 5,762 | 96 / 96 |
| C++ | 4,574 | 96 / 96 |
| Java | 2,164 | 96 / 96 |
| JavaScript / TypeScript | 1,667 | 92 / 96 (non-applicable: 4 binary-runtime V-IDs) |
| C# / .NET (VB.NET) | 932 | 96 / 96 |
| Python | 743 | 94 / 96 |
| PHP | native engine | 94 / 96 |
| Ruby | 55+ | 92 / 96 |
| Go | native engine | 94 / 96 |
| Rust | native engine | 93 / 96 |
| Kotlin | native engine | 94 / 96 |
| Swift / Objective-C | native engine | 92 / 96 + mobile extensions |
| Scala | native engine | 94 / 96 |
| Dart | native engine | 92 / 96 + mobile extensions |
| Groovy | 420 | 94 / 96 |
| Shell | 11+ + AST fuzzer | 74 / 96 |
| Mobile (Android + iOS) | 338 | + MOBI extensions (CAT I keychain / IPC / data-at-rest) |
| SCA / SBOM | 809 | + supply-chain V-IDs |
| Total languages | 19 | Coverity: 17 |
Both vendors cover all 96 V-IDs of the Application Security & Development STIG. Where PhantomYerra exceeds: (1) Mobile-specific extensions - Android keychain misuse, iOS Keychain accessibility, IPC permission leaks, exported activity / intent bugs - Coverity's AppDev STIG pack does not cover mobile-specific V-IDs; (2) 19 supported languages vs Coverity's 17, with native scanners in Kotlin, Swift, Objective-C, Dart for mobile parity; (3) per-V-ID DAST cross-confirmation where applicable (V-222418 SQLi confirmed by both SAST and an actual DAST exploit attempt); (4) SCAP-format output for DoD ATO submission alongside the standard HTML/DOCX/PDF; (5) air-gapped operation, which is the default mode of every DoD network where this STIG actually applies; (6) perpetual licence pricing - DoD budgets prefer perpetual + maintenance over annual subscription.