TypeScript
Overview
This article covers TypeScript support and vulnerability detection for Mend SAST.
Mend SAST-supported TypeScript File Types
**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
File Type | Generation 1 | Generation 2 |
---|---|---|
.cts | ❌ | ✅ |
.html** | ✅ | ✅ |
.mts | ❌ | ✅ |
.ts | ✅ | ✅ |
.tsx | ✅ | ✅ |
.vue | ❌ | ✅ |
Mend SAST-supported TypeScript Frameworks
Framework | Generation 1 | Generation 2 |
---|---|---|
Angular | ✅ | ✅ |
ExpressJS | ✅ | ✅ |
Fastify | ❌ | ✅ |
Hapi | ❌ | ✅ |
JQuery | ✅ | ✅ |
Knockout | ✅ | ✅ |
Koa.JS | ✅ | ✅ |
NestJS | ✅ | ✅ |
Next.js | ❌ | ✅ |
Node.JS | ✅ | ✅ |
React | ✅ | ✅ |
Restify | ❌ | ✅ |
Vue.js | ❌ | ✅ |
Mend SAST-supported TypeScript Vulnerability Types
The TypeScript vulnerability types detected by SAST are provided below, organized by CWE ID within each of their identified severities.
TypeScript High-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-22 | Path/Directory Traversal | ✅ | ✅ |
CWE-78 | Command Injection | ✅ | ✅ |
CWE-79 | Cross-Site Scripting | ✅ | ✅ |
CWE-79 | DOM Based Cross-Site Scripting | ✅ | ✅ |
CWE-89 | SQL Injection | ✅ | ✅ |
CWE-94 | Code Injection | ✅ | ✅ |
CWE-134 | Use of Externally-Controlled Format String | ❌ | ✅ |
CWE-346 | Origin Validation Error | ❌ | ✅ |
CWE-502 | Deserialization of Untrusted Data | ❌ | ✅ |
CWE-643 | XPath Injection | ❌ | ✅ |
CWE-918 | Server-Side Request Forgery | ❌ | ✅ |
CWE-943 | NoSQL Injection | ✅ | ✅ |
TypeScript Medium-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-90 | LDAP Injection | ❌ | ✅ |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | ❌ | ✅ |
CWE-209 | Generation of Error Message Containing Sensitive Information | ❌ | ✅ |
CWE-295 | Improper Certificate Validation | ❌ | ✅ |
CWE-312 | Cleartext Storage of Sensitive Information | ❌ | ✅ |
CWE-319 | Cleartext Transmission of Sensitive Information | ❌ | ✅ |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | ❌ | ✅ |
CWE-338 | Weak Pseudo-Random | ✅ | ✅ |
CWE-347 | Improper Verification of Cryptographic Signature | ❌ | ✅ |
CWE-400 | Regex Denial of Service (ReDoS) | ✅ | ❌ |
CWE-611 | XML External Entity (XXE) Injection | ❌ | ✅ |
CWE-676 | Miscellaneous Dangerous Functions | ✅ | ❌ |
CWE-798 | Hardcoded Password/Credentials | ✅ | ✅ |
CWE-1004 | Cookie Without 'HttpOnly' Flag | ❌ | ✅ |
CWE-1333 | Regex Denial of Service (ReDoS) | ❌ | ✅ |
TypeScript Low-Severity Vulnerability Types
CWE | Vulnerability Type | Generation 1 | Generation 2 |
CWE-20 | Cookie Injection | ✅ | ✅ |
CWE-20 | Improper Input Validation | ❌ | ✅ |
CWE-113 | HTTP Header Injection | ✅ | ❌ |
CWE-113 | HTTP Response Splitting | ✅ | ❌ |
CWE-117 | Log Forging | ✅ | ✅ |
CWE-242 | Use of Inherently Dangerous Function | ✅ | ✅ |
CWE-328 | Use of Weak Hash | ❌ | ✅ |
CWE-434 | Unrestricted Upload of File with Dangerous Type | ❌ | ✅ |
CWE-598 | Use of GET Request Method With Sensitive Query Strings | ❌ | ✅ |
CWE-601 | Unvalidated/Open Redirect | ✅ | ✅ |
CWE-614 | Sensitive Cookie Without Secure | ❌ | ✅ |
CWE-776 | Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) | ❌ | ✅ |