Python
This article covers Python support and vulnerability detection for Mend SAST.
Mend SAST-supported Python file types
File Type |
|---|
.py |
Mend SAST-supported Python frameworks
Framework |
|---|
N/A |
Mend SAST-supported Python vulnerability types
The Python vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
Python high-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-22 | Path/Directory Traversal | ✅ | ✅ |
CWE-73 | File Manipulation | ✅ | ✅* |
CWE-78 | Command Injection | ✅ | ✅ |
CWE-79 | Cross-Site Scripting | ✅ | ✅ |
CWE-89 | SQL Injection | ❌ | ✅ |
CWE-94 | Code Injection | ✅ | ✅ |
CWE-502 | Deserialization of Untrusted Data | ✅ | ✅ |
CWE-643 | XPath Injection | ✅ | ✅ |
CWE-732 | Incorrect Permission Assignment for Critical Resource | ❌ | ✅ |
CWE-918 | Server-Side Request Forgery | ❌ | ✅ |
CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | ❌ | ✅ |
Python medium-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-90 | LDAP Injection | ✅ | ✅ |
CWE-209 | Generation of Error Message Containing Sensitive Information | ❌ | ✅ |
CWE-244 | Heap Inspection | ✅ | ❌ |
CWE-295 | Improper Certificate Validation | ❌ | ✅ |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | ❌ | ✅ |
CWE-377 | Insecure Temporary File | ❌ | ✅ |
CWE-400 | Uncontrolled Resource Consumption | ❌ | ✅ |
CWE-472 | Hidden HTML Input | ✅ | ❌ |
CWE-611 | Improper Restriction of XML External Entity Reference | ❌ | ✅ |
CWE-676 | Use of Potentially Dangerous Function | ✅ | ✅ |
CWE-798 | Use of Hard-coded Credentials | ✅ | ✅ |
CWE-1336 | Server-Side Template Injection | ❌ | ✅ |
Python low-severity vulnerability types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-20 | Improper Input Validation | ❌ | ✅ |
CWE-20 | Mail Relay | ✅ | ✅* |
CWE-20 | Memcache Injection Vulnerability | ✅ | ✅* |
CWE-113 | HTTP Header Injection | ✅ | ❌ |
CWE-117 | Improper Output Neutralization for Logs | ❌ | ✅ |
CWE-328 | Use of Weak Hash | ❌ | ✅ |
CWE-530 | Dangerous File Extensions | ✅ | ✅* |
CWE-601 | Unvalidated/Open Redirect | ✅ | ✅ |
CWE-916 | Use of Weak Hash -Insufficient Computational Effort | ✅ | ✅ |
CWE-941 | Arbitrary Server Connection | ✅ | ✅ |
CWE-1333 | Regex Denial of Service (ReDoS) | ❌ | ✅ |
* Notes:
CWE-73 - File Manipulation: This CWE is now reported as CWE-22 - Path Traversal.
CWE-20 - Mail Relay: This CWE is now reported as CWE-20 - Improper Input Validation.
CWE-20 - MemCache Injection: This CWE is now reported as CWE-20 - Improper Input Validation.
CWE-530 - Dangerous File Extensions: This CWE is now reported as CWE-22 - Path Traversal.