Ruby
This article covers Ruby support and vulnerability detection for Mend SAST.
Mend SAST-supported Ruby file types
**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type |
|---|
.erb** |
.rb |
.rhtm** |
.rhtml** |
Mend SAST-supported Ruby frameworks
Framework |
|---|
Ruby on Rails |
Mend SAST-supported Ruby vulnerability types
The Ruby vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
Ruby high-severity vulnerability types
CWE | Vulnerability Type |
CWE-22 | Path/Directory Traversal |
CWE-59 | Improper Link Resolution Before File Access (Link Following) |
CWE-73 | File Manipulation |
CWE-78 | Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-94 | Code Injection |
CWE-915 | Mass Assignment |
CWE-79 | Dangerous HTML Embedded |
Ruby medium-severity vulnerability types
CWE | Vulnerability Type |
CWE-798 | Hardcoded Password/Credentials |
CWE-90 | LDAP Injection |
CWE-244 | Heap Inspection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-321 | Secret Key in Source |
Ruby low-severity vulnerability types
CWE | Vulnerability Type |
CWE-434 | File Upload |
CWE-530 | Dangerous File Extensions |
CWE-916 | Weak Hash Strength |
CWE-1004 | Cookie Without 'HttpOnly' Flag |
CWE-113 | HTTP Response Splitting |