Skip to main content
Skip table of contents

C#

This article covers C# support and vulnerability detection for Mend SAST.

Mend SAST-supported C# file types

File Type

.aspx

.ascx *

.cs

.cshtml *

.razor

* Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.

Mend SAST-supported C# frameworks

Framework

ASP.NET Core

ASP.NET MVC

ASP.NET Web Forms

Azure Service Bus

Azure Service Fabric

C# Web Services

NHibernate

Razor

Mend SAST-supported C# vulnerability types

The C# vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

C# high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Additional Taint Sinks:
    Disabling standard CSRF implementations

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-502

Deserialization of Untrusted Data

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-643

XPath Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-918

Server-Side Request Forgery

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

C# medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-209

Error Messages Information Exposure

  • UNAFFECTED

CWE-319

Insufficient Transport Layer Protection

  • UNAFFECTED

CWE-338

Weak Pseudo-Random

  • UNAFFECTED

CWE-400

Sleep Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-501

Trust Boundary Violation

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-676

Miscellaneous Dangerous Functions

  • UNAFFECTED

CWE-798

Hardcoded Password/Credentials

  • Additional Taint Sinks:
    Assignments of hard-coded strings to variables/attributes with special names like password

CWE-1336

Template Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

C# Low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-20

Mail Relay

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-117

Log Forging

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-326

Weak Encryption Strength

  • UNAFFECTED

CWE-601

Unvalidated/Open Redirect

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-614

Sensitive Cookie Without Secure

  • UNAFFECTED

CWE-916

Weak Hash Strength

  • UNAFFECTED

CWE-941

Arbitrary Server Connection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-1004

Cookie Without 'HttpOnly' Flag

  • UNAFFECTED

CWE-1333

Regex Denial of Service (ReDoS)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close