C#
This article covers C# support and vulnerability detection for Mend SAST.
Mend SAST-supported C# file types
**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type | Generation 1 | Generation 2 |
|---|---|---|
.aspx | ✅ | ✅ |
.ascx** | ✅ | ✅ |
.cs | ✅ | ✅ |
.cshtm** | ✅ | ❌ |
.cshtml** | ✅ | ✅ |
.master** | ✅ | ❌ |
.razor | ❌ | ✅ |
Mend SAST-supported C# frameworks
Framework | Generation 1 | Generation 2 |
|---|---|---|
ASP.NET Core | ✅ | ✅ |
ASP.NET MVC | ✅ | ✅ |
ASP.NET Web Forms | ✅ | ✅ |
Azure Service Bus | ❌ | ✅ |
Azure Service Fabric | ❌ | ✅ |
C# Web Services | ❌ | ✅ |
Entity | ✅ | ❌ |
NHibernate | ✅ | ✅ |
Razor | ❌ | ✅ |
Telerik | ✅ | ❌ |
Mend SAST-supported C# vulnerability types
The C# vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
C# high-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-22 | Path/Directory Traversal | ✅ | ✅ |
CWE-73 | File Manipulation | ✅ | ❌ |
CWE-78 | Command Injection | ✅ | ✅ |
CWE-79 | Cross-Site Scripting | ✅ | ✅ |
CWE-89 | SQL Injection | ✅ | ✅ |
CWE-94 | Code Injection | ✅ | ✅ |
CWE-94 | Server Pages Execution | ✅ | ❌ |
CWE-502 | Deserialization of Untrusted Data | ✅ | ✅ |
CWE-643 | XPath Injection | ✅ | ✅ |
CWE-918 | Server-Side Request Forgery | ✅ | ✅ |
C# medium-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
|---|---|---|---|
CWE-90 | LDAP Injection | ✅ | ✅ |
CWE-209 | Error Messages Information Exposure | ✅ | ✅ |
CWE-209 | Console Output | ✅ | ❌ |
CWE-244 | Heap Inspection Note: Starting in v23.8.1, this vulnerability type can be ignored for detection improvement for C# projects. Please reach out to your Mend Customer Success Manager (CSM) if you would like to enable this feature for your future C# scans. Read more on our v23.8.1 Release Notes. | ✅ | ❌ |
CWE-319 | Insufficient Transport Layer Protection | ❌ | ✅ |
CWE-338 | Weak Pseudo-Random | ✅ | ✅ |
CWE-400 | Sleep Denial of Service | ✅ | ✅ |
CWE-400 | Regex Denial of Service (ReDoS) | ✅ | ❌ |
CWE-472 | Hidden HTML Input | ✅ | ❌ |
CWE-501 | Trust Boundary Violation | ✅ | ✅ |
CWE-611 | XML External Entity (XXE) Injection | ✅ | ✅ |
CWE-676 | Miscellaneous Dangerous Functions | ✅ | ✅ |
CWE-798 | Hardcoded Password/Credentials | ✅ | ✅ |
CWE-1336 | Template Injection | ❌ | ✅ |
C# Low-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-20 | Cookie Injection | ✅ | ❌ |
CWE-20 | Mail Relay | ✅ | ✅ |
CWE-20 | Session Poisoning | ✅ | ❌ |
CWE-113 | HTTP Header Injection | ✅ | ❌ |
CWE-113 | HTTP Response Splitting | ✅ | ❌ |
CWE-117 | Log Forging | ✅ | ✅ |
CWE-326 | Weak Encryption Strength | ✅ | ✅ |
CWE-434 | File Upload Note: Note: Starting in v23.8.1, this vulnerability type can be ignored for detection improvement for C# projects. Please reach out to your Mend Customer Success Manager (CSM) if you would like to enable this feature for your future C# scans. Read more on our v23.8.1 Release Notes. | ✅ | ❌ |
CWE-530 | Dangerous File Extensions | ✅ | ❌ |
CWE-601 | Unvalidated/Open Redirect | ✅ | ✅ |
CWE-614 | Sensitive Cookie Without Secure | ❌ | ✅ |
CWE-916 | Weak Hash Strength | ✅ | ✅ |
CWE-941 | Arbitrary Server Connection | ✅ | ✅ |
CWE-1004 | Cookie Without 'HttpOnly' Flag | ✅ | ✅ |
CWE-1333 | Regex Denial of Service (ReDoS) | ❌ | ✅ |