Skip to main content
Skip table of contents

Java

In this article, we cover Java support and vulnerability detection for Mend SAST.

Mend SAST-supported Java file types

Note: ‘Secondary’ file extensions will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.

File Type

Extension Type

.faces

Secondary

.java

Primary

.jhtm

Secondary

.jhtml

Secondary

.jsf

Secondary

.jsp

Primary

.jspf

Primary

.jspx

Primary

Mend SAST-supported Java frameworks

Framework

Dropwizard

EJB

Hibernate

J2EE

JavaBeans

JavaFaces

JAX-RPC

JAX-RS

JAX-WS

JSP

Micronaut

Spring

Spring Boot

Struts

Struts2

Websockets

Mend SAST-supported Java vulnerability types

The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Java high-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-22

Path/Directory Traversal

CWE-73

File Manipulation

CWE-74

JNDI Injection

CWE-74

XSLT Injection

CWE-78

Command Injection

CWE-79

Cross-Site Scripting

CWE-89

SQL Injection

CWE-94

Code Injection

CWE-94

Server Pages Execution

CWE-134

Unsafe Format String

CWE-502

Deserialization of Untrusted Data

CWE-643

XPath Injection

CWE-917

Expression Language Injection

CWE-918

Server-Side Request Forgery

Java medium-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-90

LDAP Injection

CWE-209

Console Output

CWE-209

Error Messages Information Exposure

CWE-209

Log Messages Information Leak

CWE-244

Heap Inspection

CWE-312

Store Sensitive Information

CWE-319

Insufficient Transport Layer Protection

CWE-327

Insecure Cryptographic Algorithm

CWE-335

Predictable Seed

CWE-338

Weak Pseudo-Random

CWE-347

Improper Verification of JWT Signature

CWE-400

Loop Denial of Service

CWE-400

Readline Denial of Service

CWE-400

Regex Denial of Service (ReDoS)

CWE-400

Sleep Denial of Service

CWE-470

Unsafe Reflection

CWE-472

Hidden HTML Input

CWE-501

Trust Boundary Violation

CWE-611

XML External Entity (XXE) Injection

CWE-676

Miscellaneous Dangerous Functions

CWE-780

Weak RSA Encryption

CWE-798

Hardcoded Password/Credentials

Java low-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-15

System Properties Change

CWE-20

Mail Relay

CWE-20

Session Poisoning

CWE-20

System Properties Change

CWE-20

Improper Cookie Injection

CWE-113

HTTP Header Injection

CWE-113

HTTP Response Splitting

CWE-117

Log Forging

CWE-297

Improper Certificate Validation

CWE-325

Missing Cryptographic Step

CWE-326

Weak Encryption Strength

CWE-328

Weak Hash Strength

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-497

System Properties Disclosure

CWE-530

Dangerous File Extensions

CWE-532

Log Sensitive Information

CWE-601

Unvalidated/Open Redirect

CWE-916

Weak Hash Strength

CWE-941

Arbitrary Server Connection

CWE-1004

Cookie Without 'HttpOnly' Flag

CWE-1204

Weak Initialization Vector

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.