Skip to main content
Skip table of contents

TypeScript

Overview

This article covers TypeScript support and vulnerability detection for Mend SAST.

Mend SAST-supported TypeScript File Types

File Type

.cts

.html *

.mts

.ts

.tsx

.vue

* Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.

Mend SAST-supported TypeScript Frameworks

Framework

Angular

ExpressJS

Fastify

Hapi

JQuery

Knockout

Koa.JS

NestJS

Next.js

Node.JS

React

Restify

Vue.js

Mend SAST-supported TypeScript Vulnerability Types

The TypeScript vulnerability types detected by Mend SAST are provided below, organized by CWE ID within each of their identified severities.

JavaScript/TypeScript High-Severity Vulnerability Types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

DOM Based Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-134

Use of Externally-Controlled Format String

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-346

Origin Validation Error

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-502

Deserialization of Untrusted Data

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-643

XPath Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-918

Server-Side Request Forgery

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-943

NoSQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

JavaScript/TypeScript Medium-Severity Vulnerability Types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • UNAFFECTED

CWE-209

Generation of Error Message Containing Sensitive Information

  • UNAFFECTED

CWE-295

Improper Certificate Validation

  • UNAFFECTED

CWE-312

Cleartext Storage of Sensitive Information

  • UNAFFECTED

CWE-319

Cleartext Transmission of Sensitive Information

  • UNAFFECTED

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

  • UNAFFECTED

CWE-338

Weak Pseudo-Random

  • UNAFFECTED

CWE-347

Improper Verification of Cryptographic Signature

  • UNAFFECTED

CWE-611

XML External Entity (XXE) Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-798

Hardcoded Password/Credentials

  • Additional Tains Sinks:
    Assignments of hard-coded strings to variables/attributes with special names like password

CWE-1004

Cookie Without 'HttpOnly' Flag

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-1333

Regex Denial of Service (ReDoS)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

JavaScript/TypeScript Low-Severity Vulnerability Types

CWE

Vulnerability Type

Low Probability Impact

CWE-20

Cookie Injection

CWE-20

Improper Input Validation

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-117

Log Forging

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-242

Use of Inherently Dangerous Function

  • UNAFFECTED

CWE-328

Use of Weak Hash

  • UNAFFECTED

CWE-434

Unrestricted Upload of File with Dangerous Type

  • UNAFFECTED

CWE-598

Use of GET Request Method With Sensitive Query Strings

CWE-601

Unvalidated/Open Redirect

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-614

Sensitive Cookie Without Secure

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-776

Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close