Skip to main content
Skip table of contents

Java

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

This article covers Java support and vulnerability detection for Mend SAST.

Mend SAST-supported Java file types

File Type

.java

.jsp

.jspf

.jspx

Mend SAST-supported Java frameworks

Framework

Hibernate

J2EE

JavaBeans

JAX-RPC

JAX-RS

JAX-WS

JSP

Micronaut

Spring

Spring Boot

Struts

Struts2

Websockets

Mend SAST-supported Java vulnerability types

The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Java high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-74

JNDI Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-74

XSLT Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    Content type XML will be considered as vulnerable for XSS

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-134

Unsafe Format String

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-352

Cross-Site Request Forgery (CSRF)

  • ONLY detected when Low Probability Findings are enabled

  • Additional Taint Sinks:
    Disabling standard CSRF implementations

CWE-502

Deserialization of Untrusted Data

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-643

XPath Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-917

Expression Language Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-918

Server-Side Request Forgery

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical regex sanitizer

Java medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-209

Error Messages Information Exposure

  • UNAFFECTED

CWE-312

Store Sensitive Information

  • UNAFFECTED

CWE-319

Insufficient Transport Layer Protection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-327

Insecure Cryptographic Algorithm

  • UNAFFECTED

CWE-335

Predictable Seed

  • UNAFFECTED

CWE-338

Weak Pseudo-Random

  • Additional Taint Sinks:
    Invocations of non cryptographic random functions like Math.random

CWE-347

Improper Verification of JWT Signature

  • UNAFFECTED

CWE-400

Loop Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Readline Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Regex Denial of Service (ReDoS)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Sleep Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-470

Unsafe Reflection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-472

Hidden HTML Input

  • UNAFFECTED

CWE-501

Trust Boundary Violation

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-676

Miscellaneous Dangerous Functions

  • UNAFFECTED

CWE-780

Weak RSA Encryption

  • UNAFFECTED

CWE-798

Hardcoded Password/Credentials

  • Additional Taint Sinks:
    Assignments or comparisons of hard-coded strings to variables/attributes with special names like password

Java low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-15

System Properties Change

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-20

Mail Relay

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-113

HTTP Header Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-117

Log Forging

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-208

Observable Timing Discrepancy

  • ONLY detected when Low Probability Findings are enabled

CWE-256

Plaintext Storage of a Password

  • ONLY detected when Low Probability Findings are enabled

CWE-297

Improper Certificate Validation

  • UNAFFECTED

CWE-325

Missing Cryptographic Step

  • UNAFFECTED

CWE-328

Weak Hash Strength

  • UNAFFECTED

CWE-497

System Properties Disclosure

  • UNAFFECTED

CWE-532

Log Sensitive Information

  • UNAFFECTED

CWE-601

Unvalidated/Open Redirect

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical regex sanitizer

CWE-941

Arbitrary Server Connection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-1004

Cookie Without 'HttpOnly' Flag

  • UNAFFECTED

CWE-1204

Weak Initialization Vector

  • UNAFFECTED

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close