Kotlin
Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.
This article covers Kotlin support and vulnerability detection for Mend SAST.
Mend SAST-supported Kotlin file types
File Type |
---|
.kt |
.ktm |
.kts |
Mend SAST-supported Kotlin frameworks
Framework |
---|
Micronaut |
Mend SAST-supported Kotlin vulnerability types
The Kotlin vulnerability types detected by SAST are provided below, organized by CWE ID within each of their identified severities.
Kotlin high-severity vulnerability types
CWE | Vulnerability Type |
CWE-22 | Path/Directory Traversal |
CWE-73 | File Manipulation |
CWE-78 | Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-94 | Code Injection |
CWE-94 | Server Pages Execution |
CWE-502 | Deserialization of Untrusted Data |
CWE-643 | XPath Injection |
CWE-918 | Server-Side Request Forgery |
Kotlin medium-severity vulnerability types
CWE | Vulnerability Type |
CWE-90 | LDAP Injection |
CWE-209 | Log Messages Information Leak |
CWE-209 | Error Messages Information Exposure |
CWE-209 | Console Output |
CWE-244 | Heap Inspection |
CWE-338 | Weak Pseudo-Random |
CWE-400 | Sleep Denial of Service |
CWE-400 | Regex Denial of Service (ReDoS) |
CWE-472 | Hidden HTML Input |
CWE-501 | Trust Boundary Violation |
CWE-611 | XML External Entity (XXE) Injection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-798 | Hardcoded Password/Credentials |
Kotlin low-severity vulnerability types
CWE | Vulnerability Type |
CWE-20 | Session Poisoning |
CWE-20 | System Properties Change |
CWE-20 | Mail Relay |
CWE-20 | Cookie Injection |
CWE-113 | HTTP Header Injection |
CWE-113 | HTTP Response Splitting |
CWE-117 | Log Forging |
CWE-326 | Weak Encryption Strength |
CWE-434 | File Upload |
CWE-497 | System Properties Disclosure |
CWE-530 | Dangerous File Extensions |
CWE-601 | Unvalidated/Open Redirect |
CWE-916 | Weak Hash Strength |
CWE-941 | Arbitrary Server Connection |
CWE-1004 | Cookie Without 'HttpOnly' Flag |