Groovy

This article covers Groovy support and vulnerability detection for Mend SAST.

Mend SAST-supported Groovy file types

**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.

File Type
.groovy
.gsh
.gsp
.gvy
.gy
.java**

Mend SAST-supported Groovy frameworks

Framework
Grails

Mend SAST-supported Groovy vulnerability types

The Groovy vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Groovy high-severity vulnerability types

CWE	Vulnerability Type
CWE-22	Path/Directory Traversal
CWE-73	File Manipulation
CWE-78	Command Injection
CWE-79	Cross-Site Scripting
CWE-89	SQL Injection
CWE-94	Code Injection
CWE-94	Server Pages Execution
CWE-502	Deserialization of Untrusted Data
CWE-643	XPath Injection
CWE-918	Server-Side Request Forgery

Groovy medium-severity vulnerability types

CWE	Vulnerability Type
CWE-90	LDAP Injection
CWE-209	Log Messages Information Leak
CWE-209	Error Messages Information Exposure
CWE-209	Console Output
CWE-244	Heap Inspection
CWE-338	Weak Pseudo-Random
CWE-400	Sleep Denial of Service
CWE-400	Regex Denial of Service (ReDoS)
CWE-472	Hidden HTML Input
CWE-501	Trust Boundary Violation
CWE-611	XML External Entity (XXE) Injection
CWE-676	Miscellaneous Dangerous Functions
CWE-798	Hardcoded Password/Credentials

Groovy low-severity vulnerability types

CWE	Vulnerability Type
CWE-20	Session Poisoning
CWE-20	System Properties Change
CWE-20	Mail Relay
CWE-20	Cookie Injection
CWE-113	HTTP Header Injection
CWE-113	HTTP Response Splitting
CWE-117	Log Forging
CWE-326	Weak Encryption Strength
CWE-434	File Upload
CWE-497	System Properties Disclosure
CWE-530	Dangerous File Extensions
CWE-601	Unvalidated/Open Redirect
CWE-916	Weak Hash Strength
CWE-941	Arbitrary Server Connection
CWE-1004	Cookie Without 'HttpOnly' Flag