Java
Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.
This article covers Java support and vulnerability detection for Mend SAST.
Mend SAST-supported Java file types
File Type |
|---|
.java |
.jsp |
.jspf |
.jspx |
Mend SAST-supported Java frameworks
Framework |
|---|
Hibernate |
J2EE |
JavaBeans |
JAX-RPC |
JAX-RS |
JAX-WS |
JSP |
Micronaut |
Spring |
Spring Boot |
Struts |
Struts2 |
Websockets |
Mend SAST-supported Java vulnerability types
The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
Java high-severity vulnerability types
CWE | Vulnerability Type |
|---|---|
CWE-22 | Path/Directory Traversal |
CWE-74 | JNDI Injection |
CWE-74 | XSLT Injection |
CWE-78 | Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-94 | Code Injection |
CWE-134 | Unsafe Format String |
CWE-502 | Deserialization of Untrusted Data |
CWE-643 | XPath Injection |
CWE-917 | Expression Language Injection |
CWE-918 | Server-Side Request Forgery |
Java medium-severity vulnerability types
CWE | Vulnerability Type |
CWE-90 | LDAP Injection |
CWE-209 | Error Messages Information Exposure |
CWE-312 | Store Sensitive Information |
CWE-319 | Insufficient Transport Layer Protection |
CWE-327 | Insecure Cryptographic Algorithm |
CWE-335 | Predictable Seed |
CWE-338 | Weak Pseudo-Random |
CWE-347 | Improper Verification of JWT Signature |
CWE-400 | Loop Denial of Service |
CWE-400 | Readline Denial of Service |
CWE-400 | Regex Denial of Service (ReDoS) |
CWE-400 | Sleep Denial of Service |
CWE-470 | Unsafe Reflection |
CWE-472 | Hidden HTML Input |
CWE-501 | Trust Boundary Violation |
CWE-611 | XML External Entity (XXE) Injection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-780 | Weak RSA Encryption |
CWE-798 | Hardcoded Password/Credentials |
Java low-severity vulnerability types
CWE | Vulnerability Type |
CWE-15 | System Properties Change |
CWE-20 | Mail Relay |
CWE-113 | HTTP Header Injection |
CWE-117 | Log Forging |
CWE-297 | Improper Certificate Validation |
CWE-325 | Missing Cryptographic Step |
CWE-326 | Weak Encryption Strength |
CWE-328 | Weak Hash Strength |
CWE-497 | System Properties Disclosure |
CWE-532 | Log Sensitive Information |
CWE-601 | Unvalidated/Open Redirect |
CWE-941 | Arbitrary Server Connection |
CWE-1004 | Cookie Without 'HttpOnly' Flag |
CWE-1204 | Weak Initialization Vector |