Skip to main content
Skip table of contents

Java

This article covers Java support and vulnerability detection for Mend SAST.

Mend SAST-supported Java file types

File Type

.java

.jsp

.jspf

.jspx

Mend SAST-supported Java frameworks

Framework

Hibernate

J2EE

JavaBeans

JAX-RPC

JAX-RS

JAX-WS

JSP

Micronaut

Spring

Spring Boot

Struts

Struts2

Websockets

Mend SAST-supported Java vulnerability types

The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Java high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-74

JNDI Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-74

XSLT Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    Content type XML will be considered as vulnerable for XSS

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-134

Unsafe Format String

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-352

Cross-Site Request Forgery (CSRF)

  • ONLY detected when Low Probability Findings are enabled

  • Additional Taint Sinks:
    Disabling standard CSRF implementations

CWE-502

Deserialization of Untrusted Data

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-643

XPath Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-917

Expression Language Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-918

Server-Side Request Forgery

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical regex sanitizer

Java medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-209

Error Messages Information Exposure

  • UNAFFECTED

CWE-312

Store Sensitive Information

  • UNAFFECTED

CWE-319

Insufficient Transport Layer Protection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-327

Insecure Cryptographic Algorithm

  • UNAFFECTED

CWE-335

Predictable Seed

  • UNAFFECTED

CWE-338

Weak Pseudo-Random

  • Additional Taint Sinks:
    Invocations of non cryptographic random functions like Math.random

CWE-347

Improper Verification of JWT Signature

  • UNAFFECTED

CWE-400

Loop Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Readline Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Regex Denial of Service (ReDoS)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-400

Sleep Denial of Service

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-470

Unsafe Reflection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-472

Hidden HTML Input

  • UNAFFECTED

CWE-501

Trust Boundary Violation

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-676

Miscellaneous Dangerous Functions

  • UNAFFECTED

CWE-780

Weak RSA Encryption

  • UNAFFECTED

CWE-798

Hardcoded Password/Credentials

  • Additional Taint Sinks:
    Assignments or comparisons of hard-coded strings to variables/attributes with special names like password

Java low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-15

System Properties Change

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-20

Mail Relay

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-113

HTTP Header Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-117

Log Forging

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-208

Observable Timing Discrepancy

  • ONLY detected when Low Probability Findings are enabled

CWE-256

Plaintext Storage of a Password

  • ONLY detected when Low Probability Findings are enabled

CWE-297

Improper Certificate Validation

  • UNAFFECTED

CWE-325

Missing Cryptographic Step

  • UNAFFECTED

CWE-328

Weak Hash Strength

  • UNAFFECTED

CWE-497

System Properties Disclosure

  • UNAFFECTED

CWE-532

Log Sensitive Information

  • UNAFFECTED

CWE-601

Unvalidated/Open Redirect

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Skipped Taint Sanitizers:
    No heuristical regex sanitizer

CWE-941

Arbitrary Server Connection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-1004

Cookie Without 'HttpOnly' Flag

  • UNAFFECTED

CWE-1204

Weak Initialization Vector

  • UNAFFECTED

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close