Java

This article covers Java support and vulnerability detection for Mend SAST.

Mend SAST-supported Java file types

The Java vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

CWE	Vulnerability Type
CWE-22	Path/Directory Traversal
CWE-74	JNDI Injection
CWE-74	XSLT Injection
CWE-78	Command Injection
CWE-79	Cross-Site Scripting
CWE-89	SQL Injection
CWE-94	Code Injection
CWE-134	Unsafe Format String
CWE-502	Deserialization of Untrusted Data
CWE-643	XPath Injection
CWE-917	Expression Language Injection
CWE-918	Server-Side Request Forgery

CWE	Vulnerability Type
CWE-90	LDAP Injection
CWE-209	Error Messages Information Exposure
CWE-312	Store Sensitive Information
CWE-319	Insufficient Transport Layer Protection
CWE-327	Insecure Cryptographic Algorithm
CWE-335	Predictable Seed
CWE-338	Weak Pseudo-Random
CWE-347	Improper Verification of JWT Signature
CWE-400	Loop Denial of Service
CWE-400	Readline Denial of Service
CWE-400	Regex Denial of Service (ReDoS)
CWE-400	Sleep Denial of Service
CWE-470	Unsafe Reflection
CWE-472	Hidden HTML Input
CWE-501	Trust Boundary Violation
CWE-611	XML External Entity (XXE) Injection
CWE-676	Miscellaneous Dangerous Functions
CWE-780	Weak RSA Encryption
CWE-798	Hardcoded Password/Credentials

CWE	Vulnerability Type
CWE-15	System Properties Change
CWE-20	Mail Relay
CWE-113	HTTP Header Injection
CWE-117	Log Forging
CWE-297	Improper Certificate Validation
CWE-325	Missing Cryptographic Step
CWE-326	Weak Encryption Strength
CWE-328	Weak Hash Strength
CWE-497	System Properties Disclosure
CWE-532	Log Sensitive Information
CWE-601	Unvalidated/Open Redirect
CWE-941	Arbitrary Server Connection
CWE-1004	Cookie Without 'HttpOnly' Flag
CWE-1204	Weak Initialization Vector