Java
This article covers Java support and vulnerability detection for Mend SAST.
Mend SAST-supported Java file types
**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type |
|---|
.faces** |
.java |
.jhtm** |
.jhtml** |
.jsf** |
.jsp |
.jspf |
.jspx |
Mend SAST-supported Java frameworks
Framework |
|---|
Dropwizard |
EJB |
Hibernate |
J2EE |
JavaBeans |
JavaFaces |
JAX-RPC |
JAX-RS |
JAX-WS |
JSP |
Micronaut |
Spring |
Spring Boot |
Struts |
Struts2 |
Websockets |
Mend SAST-supported Java vulnerability types
The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
Java high-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
|---|---|---|---|
CWE-22 | Path/Directory Traversal | ✅ | ✅ |
CWE-73 | File Manipulation | ✅ | ❌ |
CWE-74 | JNDI Injection | ❌ | ✅ |
CWE-74 | XSLT Injection | ❌ | ✅ |
CWE-78 | Command Injection | ✅ | ✅ |
CWE-79 | Cross-Site Scripting | ✅ | ✅ |
CWE-89 | SQL Injection | ✅ | ✅ |
CWE-94 | Code Injection | ✅ | ✅ |
CWE-94 | Server Pages Execution | ✅ | ❌ |
CWE-134 | Unsafe Format String | ❌ | ✅ |
CWE-502 | Deserialization of Untrusted Data | ✅ | ✅ |
CWE-643 | XPath Injection | ✅ | ✅ |
CWE-917 | Expression Language Injection | ❌ | ✅ |
CWE-918 | Server-Side Request Forgery | ✅ | ✅ |
Java medium-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-90 | LDAP Injection | ✅ | ✅ |
CWE-209 | Console Output | ✅ | ❌ |
CWE-209 | Error Messages Information Exposure | ✅ | ✅ |
CWE-209 | Log Messages Information Leak | ✅ | ❌ |
CWE-244 | Heap Inspection | ✅ | ❌ |
CWE-312 | Store Sensitive Information | ❌ | ✅ |
CWE-319 | Insufficient Transport Layer Protection | ✅ | ✅ |
CWE-327 | Insecure Cryptographic Algorithm | ❌ | ✅ |
CWE-335 | Predictable Seed | ❌ | ✅ |
CWE-338 | Weak Pseudo-Random | ✅ | ✅ |
CWE-347 | Improper Verification of JWT Signature | ❌ | ✅ |
CWE-400 | Loop Denial of Service | ❌ | ✅ |
CWE-400 | Readline Denial of Service | ❌ | ✅ |
CWE-400 | Regex Denial of Service (ReDoS) | ✅ | ✅ |
CWE-400 | Sleep Denial of Service | ✅ | ✅ |
CWE-470 | Unsafe Reflection | ❌ | ✅ |
CWE-472 | Hidden HTML Input | ✅ | ✅ |
CWE-501 | Trust Boundary Violation | ✅ | ✅ |
CWE-611 | XML External Entity (XXE) Injection | ✅ | ✅ |
CWE-676 | Miscellaneous Dangerous Functions | ✅ | ✅ |
CWE-780 | Weak RSA Encryption | ❌ | ✅ |
CWE-798 | Hardcoded Password/Credentials | ✅ | ✅ |
Java low-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-15 | System Properties Change | ❌ | ✅ |
CWE-20 | Mail Relay | ✅ | ✅ |
CWE-20 | Session Poisoning | ✅ | ❌ |
CWE-20 | System Properties Change | ✅ | ❌ |
CWE-20 | Improper Cookie Injection | ✅ | ❌ |
CWE-113 | HTTP Header Injection | ✅ | ✅ |
CWE-113 | HTTP Response Splitting | ✅ | ❌ |
CWE-117 | Log Forging | ✅ | ✅ |
CWE-297 | Improper Certificate Validation | ❌ | ✅ |
CWE-325 | Missing Cryptographic Step | ❌ | ✅ |
CWE-326 | Weak Encryption Strength | ✅ | ✅ |
CWE-328 | Weak Hash Strength | ❌ | ✅ |
CWE-434 | Unrestricted Upload of File with Dangerous Type | ✅ | ❌ |
CWE-497 | System Properties Disclosure | ✅ | ✅ |
CWE-530 | Dangerous File Extensions | ✅ | ❌ |
CWE-532 | Log Sensitive Information | ❌ | ✅ |
CWE-601 | Unvalidated/Open Redirect | ✅ | ✅ |
CWE-916 | Weak Hash Strength | ✅ | ❌ |
CWE-941 | Arbitrary Server Connection | ✅ | ✅ |
CWE-1004 | Cookie Without 'HttpOnly' Flag | ✅ | ✅ |
CWE-1204 | Weak Initialization Vector | ❌ | ✅ |