Breadcrumbs

Scala

Note: This capability is in closed beta.

This article covers Scala support and vulnerability detection for Mend SAST.

Mend SAST-supported Scala file types

File Type

.scala

.sc

Mend SAST-supported Scala frameworks

Library

Akka HTTP

Anorm

Apache Avro

Apache Cocoon

Apache Commons

Apache HttpClient

Apache Jackrabbit

BooPickle

Bouncy Castle

Cask

dom4j

Doobie

Finatra

Finch

FreeMarker

Guava

hasher

http4s

Jackson

Jakarta Mail

Jakarta Servlet

JAX-RS / JAX-RS (Jakarta)

JAXB

JDOM2

Java Servlet

JavaMail

JJWT

jwt-scala

kantan.xpath

Kryo

Lift Framework

Mustache.java

OkHttp

os-lib

Pekko HTTP

Play Framework

Protocol Buffers

RabbitMQ

ReactiveMongo

Scala Process

Scala Regex

Scala XML

Scalate

Scalatra

Skunk

Slick

SnakeYAML

Spring Framework

ssl-config / Play WS

sttp

scalaj-http

Thymeleaf

tsec

Typesafe Config

XStream

ZIO HTTP

ZIO JDBC

Mend SAST-supported Scala vulnerability types

The Scala vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Scala high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • UNAFFECTED

CWE-78

Command Injection

  • UNAFFECTED

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-89

SQL Injection

  • UNAFFECTED

CWE-94

Code Injection

  • UNAFFECTED

CWE-502

Deserialization of Untrusted Data

  • UNAFFECTED

CWE-643

XPath Injection

  • UNAFFECTED

CWE-918

Server-Side Request Forgery

  • UNAFFECTED

CWE-943

NoSQL Injection

  • UNAFFECTED

Scala medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • UNAFFECTED

CWE-295

Insecure TLS Configuration

  • UNAFFECTED

CWE-327

Insecure Cryptographic Algorithm

  • UNAFFECTED

CWE-400

Sleep Denial of Service

  • UNAFFECTED

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-798

Hardcoded Password/Credentials

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

Scala low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-328

Weak Hash Strength

  • UNAFFECTED

CWE-601

Unvalidated/Open Redirect

  • UNAFFECTED

CWE-1333

Regex Denial of Service (ReDoS)

  • UNAFFECTED