Kotlin

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

This article covers Kotlin support and vulnerability detection for Mend SAST.

Mend SAST-supported Kotlin file types

File Type
.kt
.ktm
.kts

Mend SAST-supported Kotlin frameworks

Framework
Micronaut

Mend SAST-supported Kotlin vulnerability types

The Kotlin vulnerability types detected by SAST are provided below, organized by CWE ID within each of their identified severities.

Kotlin high-severity vulnerability types

CWE	Vulnerability Type
CWE-22	Path/Directory Traversal
CWE-73	File Manipulation
CWE-78	Command Injection
CWE-79	Cross-Site Scripting
CWE-89	SQL Injection
CWE-94	Code Injection
CWE-94	Server Pages Execution
CWE-502	Deserialization of Untrusted Data
CWE-643	XPath Injection
CWE-918	Server-Side Request Forgery

Kotlin medium-severity vulnerability types

CWE	Vulnerability Type
CWE-90	LDAP Injection
CWE-209	Log Messages Information Leak
CWE-209	Error Messages Information Exposure
CWE-209	Console Output
CWE-244	Heap Inspection
CWE-338	Weak Pseudo-Random
CWE-400	Sleep Denial of Service
CWE-400	Regex Denial of Service (ReDoS)
CWE-472	Hidden HTML Input
CWE-501	Trust Boundary Violation
CWE-611	XML External Entity (XXE) Injection
CWE-676	Miscellaneous Dangerous Functions
CWE-798	Hardcoded Password/Credentials

Kotlin low-severity vulnerability types

CWE	Vulnerability Type
CWE-20	Session Poisoning
CWE-20	System Properties Change
CWE-20	Mail Relay
CWE-20	Cookie Injection
CWE-113	HTTP Header Injection
CWE-113	HTTP Response Splitting
CWE-117	Log Forging
CWE-326	Weak Encryption Strength
CWE-434	File Upload
CWE-497	System Properties Disclosure
CWE-530	Dangerous File Extensions
CWE-601	Unvalidated/Open Redirect
CWE-916	Weak Hash Strength
CWE-941	Arbitrary Server Connection
CWE-1004	Cookie Without 'HttpOnly' Flag