JavaScript - Node.js
Overview
This article covers JavaScript support and vulnerability detection for Mend SAST.
Mend SAST-supported JavaScript File Types
**Note: These extensions are marked as ‘Secondary’ file extensions. They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type | Generation 1 | Generation 2 |
|---|---|---|
.cjs | ❌ | ✅ |
.ejs** | ❌ | ✅ |
.html** | ✅ | ✅ |
.js | ✅ | ✅ |
.jsx | ❌ | ✅ |
.mjs | ❌ | ✅ |
.vue | ❌ | ✅ |
.xsjs | ✅ | ❌ |
Mend SAST-supported JavaScript Frameworks
Framework | Generation 1 | Generation 2 |
|---|---|---|
Angular | ✅ | ✅ |
ExpressJS | ✅ | ✅ |
Fastify | ❌ | ✅ |
Hapi | ❌ | ✅ |
JQuery | ✅ | ✅ |
Knockout | ✅ | ✅ |
Koa.JS | ✅ | ✅ |
NestJS | ✅ | ✅ |
Next.js | ❌ | ✅ |
Node.JS | ✅ | ✅ |
React | ✅ | ✅ |
Restify | ❌ | ✅ |
Vue.js | ❌ | ✅ |
Mend SAST-supported JavaScript Vulnerability Types
The JavaScript vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
JavaScript High-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-22 | Path/Directory Traversal | ✅ | ✅ |
CWE-78 | Command Injection | ✅ | ✅ |
CWE-79 | Cross-Site Scripting | ✅ | ✅ |
CWE-79 | DOM Based Cross-Site Scripting | ✅ | ✅ |
CWE-89 | SQL Injection | ✅ | ✅ |
CWE-94 | Code Injection | ✅ | ✅ |
CWE-134 | Use of Externally-Controlled Format String | ❌ | ✅ |
CWE-346 | Origin Validation Error | ❌ | ✅ |
CWE-502 | Deserialization of Untrusted Data | ❌ | ✅ |
CWE-643 | XPath Injection | ❌ | ✅ |
CWE-918 | Server-Side Request Forgery | ❌ | ✅ |
CWE-943 | NoSQL Injection | ✅ | ✅ |
JavaScript Medium-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-90 | LDAP Injection | ❌ | ✅ |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | ❌ | ✅ |
CWE-209 | Generation of Error Message Containing Sensitive Information | ❌ | ✅ |
CWE-295 | Improper Certificate Validation | ❌ | ✅ |
CWE-312 | Cleartext Storage of Sensitive Information | ❌ | ✅ |
CWE-319 | Cleartext Transmission of Sensitive Information | ❌ | ✅ |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | ❌ | ✅ |
CWE-338 | Weak Pseudo-Random | ✅ | ✅ |
CWE-347 | Improper Verification of Cryptographic Signature | ❌ | ✅ |
CWE-400 | Regex Denial of Service (ReDoS) | ✅ | ❌ |
CWE-611 | XML External Entity (XXE) Injection | ❌ | ✅ |
CWE-676 | Miscellaneous Dangerous Functions | ✅ | ❌ |
CWE-798 | Hardcoded Password/Credentials | ✅ | ✅ |
CWE-1004 | Cookie Without 'HttpOnly' Flag | ❌ | ✅ |
CWE-1333 | Regex Denial of Service (ReDoS) | ❌ | ✅ |
JavaScript Low-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-20 | Cookie Injection | ✅ | ✅ |
CWE-20 | Improper Input Validation | ❌ | ✅ |
CWE-113 | HTTP Header Injection | ✅ | ❌ |
CWE-113 | HTTP Response Splitting | ✅ | ❌ |
CWE-117 | Log Forging | ✅ | ✅ |
CWE-242 | Use of Inherently Dangerous Function | ✅ | ✅ |
CWE-328 | Use of Weak Hash | ❌ | ✅ |
CWE-434 | Unrestricted Upload of File with Dangerous Type | ❌ | ✅ |
CWE-598 | Use of GET Request Method With Sensitive Query Strings | ❌ | ✅ |
CWE-601 | Unvalidated/Open Redirect | ✅ | ✅ |
CWE-614 | Sensitive Cookie Without Secure | ❌ | ✅ |
CWE-776 | Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) | ❌ | ✅ |