Supported languages and vulnerability categories

SAST Aviator is verified by OpenText to maximize accuracy. The extent to which a particular vulnerability category in a certain programming language is supported by SAST Aviator may differ based on the amount of verification and optimization that has already been performed. There are three classes:

Class	Description
Supported with automatic suppression	Cases with a high degree of confidence. By default, SAST Aviator will perform automatic suppression of false positives.
Supported without automatic suppression	Cases where confidence is yet to be established to the same standard. By default, SAST Aviator does not perform automatic suppression.
Not supported	A small set of cases that cannot be handled by SAST Aviator.

The underlying LLM used by SAST Aviator evolves over time. Because not every LLM version is immediately available in all cloud hosting locations used by SAST Aviator, different instances of SAST Aviator may use different LLM versions at any point in time. The LLM version in use determines the classification of cases. Generally, on newer LLMs, more classes can be moved to “automatic suppression”.

The following overview lists how language/category combinations are classified in the current version of SAST Aviator for off-cloud and hosted customers.

Supported language/category combinations with automatic suppression

• Java

  • All categories except explicitly non-supported ones.

• .NET

  • Dynamic Code Evaluation: Serializable delegate

  • Password Management: Password in Configuration File

  • System Information Leak: External

  • Header Manipulation

  • Credential Management: Hardcoded API Credentials

  • Server-Side Request Forgery

  • Value Shadowing

  • Mass Assignment: Insecure Binder Configuration

  • ASP.NET MVC Bad Practices: Model with Required Non-Nullable Property

  • Value Shadowing

  • SQL Injection

  • ASP.NET MVC Bad Practices: Optional Submodel with Required Property

  • Password Management: Hardcoded Password

  • Privacy Violation

  • Cross-Site Scripting: Reflected

  • Path Manipulation

  • Open Redirect

  • Mass Assignment: Sensitive Field Exposure

  • XML Injection

  • XPath Injection

  • Null Dereference

  • Unreleased Resource: Unmanaged Object

  • Portability Flaw: File Separator

  • ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

Supported without automatic suppression

• All other language/category combinations supported by OpenText SAST, except explicitly excluded cases.

Not supported

• One vulnerability category is explicitly not-supported:

  • Privilege Management: Unnecessary Permission.

Note: The verification of this category issues requires access to the complete source code at once, which is not compatible with the way SAST Aviator functions.