C#
This article covers C# support and vulnerability detection for Mend SAST.
Mend SAST-supported C# file types
File Type |
|---|
.aspx |
.ascx * |
.cs |
.cshtml * |
.razor |
* Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
Mend SAST-supported C# frameworks
Framework |
|---|
ASP.NET Core |
ASP.NET MVC |
ASP.NET Web Forms |
Azure Service Bus |
Azure Service Fabric |
C# Web Services |
NHibernate |
Razor |
Mend SAST-supported C# vulnerability types
The C# vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
C# high-severity vulnerability types
CWE | Vulnerability Type |
CWE-22 | Path/Directory Traversal |
CWE-78 | Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-94 | Code Injection |
CWE-502 | Deserialization of Untrusted Data |
CWE-643 | XPath Injection |
CWE-918 | Server-Side Request Forgery |
C# medium-severity vulnerability types
CWE | Vulnerability Type |
|---|---|
CWE-90 | LDAP Injection |
CWE-209 | Error Messages Information Exposure |
CWE-319 | Insufficient Transport Layer Protection |
CWE-338 | Weak Pseudo-Random |
CWE-400 | Sleep Denial of Service |
CWE-501 | Trust Boundary Violation |
CWE-611 | XML External Entity (XXE) Injection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-798 | Hardcoded Password/Credentials |
CWE-1336 | Template Injection |
C# Low-severity vulnerability types
CWE | Vulnerability Type |
CWE-20 | Mail Relay |
CWE-117 | Log Forging |
CWE-326 | Weak Encryption Strength |
CWE-601 | Unvalidated/Open Redirect |
CWE-614 | Sensitive Cookie Without Secure |
CWE-916 | Weak Hash Strength |
CWE-941 | Arbitrary Server Connection |
CWE-1004 | Cookie Without 'HttpOnly' Flag |
CWE-1333 | Regex Denial of Service (ReDoS) |