Java | Mend.io Documentation

This article covers Java support and vulnerability detection for Mend SAST.

Mend SAST-supported Java file types

File Type
.java
.jsp
.jspf
.jspx

Mend SAST-supported Java frameworks

Framework
Hibernate
J2EE
JavaBeans
JAX-RPC
JAX-RS
JAX-WS
JSP
Micronaut
Spring
Spring Boot
Struts
Struts2
Websockets

Mend SAST-supported Java vulnerability types

The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Java high-severity vulnerability types

CWE	Vulnerability Type	Low Probability Impact
CWE-22	Path/Directory Traversal	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-74	JNDI Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-74	XSLT Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-78	Command Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-79	Cross-Site Scripting	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access) Skipped Taint Sanitizers: Content type XML will be considered as vulnerable for XSS
CWE-89	SQL Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-94	Code Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-134	Unsafe Format String	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-352	Cross-Site Request Forgery (CSRF)	ONLY detected when Low Probability Findings are enabled Additional Taint Sinks: Disabling standard CSRF implementations
CWE-502	Deserialization of Untrusted Data	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-643	XPath Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-917	Expression Language Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-918	Server-Side Request Forgery	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access) Skipped Taint Sanitizers: No heuristical regex sanitizer

Java medium-severity vulnerability types

CWE	Vulnerability Type	Low Probability Impact
CWE-90	LDAP Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-209	Error Messages Information Exposure	UNAFFECTED
CWE-312	Store Sensitive Information	UNAFFECTED
CWE-319	Insufficient Transport Layer Protection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-327	Insecure Cryptographic Algorithm	UNAFFECTED
CWE-335	Predictable Seed	UNAFFECTED
CWE-338	Weak Pseudo-Random	Additional Taint Sinks: Invocations of non cryptographic random functions like Math.random
CWE-347	Improper Verification of JWT Signature	UNAFFECTED
CWE-400	Loop Denial of Service	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-400	Readline Denial of Service	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-400	Regex Denial of Service (ReDoS)	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-400	Sleep Denial of Service	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-470	Unsafe Reflection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-472	Hidden HTML Input	UNAFFECTED
CWE-501	Trust Boundary Violation	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-611	XML External Entity (XXE) Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-676	Miscellaneous Dangerous Functions	UNAFFECTED
CWE-780	Weak RSA Encryption	UNAFFECTED
CWE-798	Hardcoded Password/Credentials	Additional Taint Sinks: Assignments or comparisons of hard-coded strings to variables/attributes with special names like password

Java low-severity vulnerability types

CWE	Vulnerability Type	Low Probability Impact
CWE-15	System Properties Change	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-20	Mail Relay	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-113	HTTP Header Injection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-117	Log Forging	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-208	Observable Timing Discrepancy	ONLY detected when Low Probability Findings are enabled
CWE-256	Plaintext Storage of a Password	ONLY detected when Low Probability Findings are enabled
CWE-297	Improper Certificate Validation	UNAFFECTED
CWE-325	Missing Cryptographic Step	UNAFFECTED
CWE-328	Weak Hash Strength	UNAFFECTED
CWE-497	System Properties Disclosure	UNAFFECTED
CWE-532	Log Sensitive Information	UNAFFECTED
CWE-601	Unvalidated/Open Redirect	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access) Skipped Taint Sanitizers: No heuristical regex sanitizer
CWE-941	Arbitrary Server Connection	Additional Taint Sources: Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
CWE-1004	Cookie Without 'HttpOnly' Flag	UNAFFECTED
CWE-1204	Weak Initialization Vector	UNAFFECTED