Breadcrumbs

C/C++ Gen 2

Note: Gen 1 is the default C/C++ detection engine for existing customers. Please reach out to your Customer Success Manager at Mend.io to upgrade to Gen 2.

Mend SAST-supported C/C++ file types

Source Files

Header Files

.c

.h

.cc

.hh

.cpp

.hxx

.cxx

.hpp

Mend SAST-supported C/C++ frameworks

Framework / Ecosystem / Domain

LLVM / MinGW / C++ toolchain

C standard library (glibc / musl)

GLib / GObject / GNOME

Apache Portable Runtime (APR)

Asynchronous I/O / Event Loop (libuv / libevent)

SQLite

ODBC / unixODBC

MySQL

PostgreSQL

MongoDB

BSON

Talloc

cURL / libcurl

OpenSSL / TLS / Cryptography

Redis

Memory Allocation (mimalloc)

JSON (jansson)

Protocol Buffers (protobuf-c)

MessagePack (msgpack-c)

Linux System APIs

Compression / Archiving (zlib / libarchive)

C++ Formatting & Logging (fmtlib / spdlog)

Boost C++ Libraries

Qt Framework

Scripting / Embedding (Lua / CPython / Duktape)

XML Processing (libxml2 / Xerces)

Cassandra

OpenLDAP

SSH / Secure Shell (libssh / libssh2)

RabbitMQ / AMQP

AWS SDK for C / C++

Azure SDK (C / C++)

MQTT (Paho)

HTTP / Web (httplib)

Mend SAST-supported C/C++ vulnerability types

The C/C++ vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

C/C++ high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-121

Buffer Overflow

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical sanitizier for comparisons (<,>,<=..)

  • Additional Taint Sinks:
    Buffer lengths in the method lead to an overflow (neither's lengths are user controlled, no data flow, no trace)
    Allocating buffer with negtive size
    Reading from a socket to an insufficient length buffer

CWE-134

Uncontrolled Format String

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-190

Integer Overflow

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical sanitizier for comparisons (<,>,<=..)

CWE-415

Double Free

  • Additional Taint Sources:
    Source is not user controlled

CWE-416

Use After Free

  • Additional Taint Sources:
    Source is not user controlled

CWE-787

Out of Buffer Bounds Write

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    Using resolved numbers

  • Additional Taint Sinks:
    Mismatched with resolved buffer sizes and indexes

CWE-824

Access of Uninitialized Pointer

  • ONLY detected when Low Probability Findings are enabled

CWE-918

Server Side Request Forgery (SSRF)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-943

No-SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

C/C++ medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-125

Out of Buffer Bounds Read

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-191

Integer Underflow

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical sanitizier for comparisons (<,>,<=..)

CWE-457

Use of Uninitialized Variable

  • ONLY detected when Low Probability Findings are enabled

CWE-606

Unchecked Input for Loop Condition

  • UNAFFECTED

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-676

Miscellaneous Dangerous Functions

  • ONLY detected when Low Probability Findings are enabled

CWE-798

Hardcoded Password/Credentials

  • Additional Taint Sinks:
    Assignments of hard-coded strings to variables/attributes with special names like password

C/C++ low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-242

Use of Inherently Dangerous Function

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-369

Divide By Zero

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No sanitizer for division by zero

  • Additional Taint Sinks:
    Denominator is resolved to numberical value zero

CWE-476

NULL Pointer Dereference

  • UNAFFECTED

CWE-789

Uncontrolled Memory Allocation

  • UNAFFECTED

Note: In comparison to Gen 1, you may notice that some CWEs are not supported. This is not a regression but an intentional change. In detail, the following adjustments were made:

  • CWE-90: LDAP Injection: Intentionally dropped, because LDAP Injection is not relevant for C/C++

  • CWE-114: Arbitrary Library Injection: This CWE is now covered under CWE-94: Code Injection

  • CWE-244: Heap Inspection: Intentionally dropped, because Heap Inspection is very uncommon and requires the application server to be compromised for it to be exploitable. Static analysis alone can't determine if the vulnerability is a TP, so a lot of noise is generated.

  • CWE-367: Time of Check Time of Use: This CWE is now covered under CWE-22