Java SAST
What xgrep detects in Java — injection, deserialization, XXE, SSRF, weak crypto, and Android/Spring-specific issues — with request-to-sink taint analysis.
Java SAST
xgrep parses .java into tree-sitter ASTs and ships roughly 180 rules, 37 of
them taint-based, with dedicated coverage for Spring, Android, and
JSP/Jakarta.
xgrep scan --include '*.java' .What xgrep detects
Injection — sql-injection-http-request, spring-sql-injection,
command-injection-http-request, ldap-injection-http-request,
xpath-injection-http-request, ognl-injection, jndi-injection,
jsp-el-injection, template-injection, groovy-code-injection,
unsafe-reflection, log-injection, format-string-injection, regex-injection,
xslt-injection, response-splitting.
Deserialization & XXE — unsafe-deserialization, unsafe-deserialization-taint,
xxe-parser.
SSRF, redirects & path traversal — ssrf-http-request,
path-traversal-http-request, partial-path-traversal, open-redirect,
url-forward.
Cross-site scripting — jsp-scriptlet-xss, jsp-unescaped-output,
xss-response-writer.
Crypto & TLS — weak-cipher-algorithm, weak-hash-algorithm, weak-key-size,
rsa-no-padding, static-iv, predictable-seed, weak-random, insecure-tls,
insecure-trust-manager, hostname-verification.
Auth, sessions & cookies — cookie-auth-bypass, insecure-cookie,
cookie-no-httponly, jwt-verification, csrf-state-changing-get,
insecure-basic-auth, insecure-ldap-auth.
Android — webview-javascript, webview-content-access, webview-debugging,
intent-redirection, implicit-pending-intent, unsafe-intent,
unprotected-boot-receiver, sensitive-broadcast, apk-installation.
Spring — spring-actuator-exposure (and its YAML variant).
Data exposure — sensitive-data-logging, stacktrace-exposure,
cleartext-storage / -transmission, hardcoded-credentials, temp-dir-disclosure,
world-writable-file, trust-boundary-violation.
Correctness & concurrency — a large set covering lock-order-deadlock,
double-checked-locking, inconsistent-equals-hashcode, resource leaks, and more
(run with --category correctness).
Taint analysis
37 rules use taint mode: the *-http-request
family fires only when data from a servlet/Spring request reaches an injection sink,
and *-taint variants (e.g. unsafe-deserialization-taint, static-iv-taint) trace
tainted values to the dangerous operation — keeping findings exploitable, not shape-only.
See also Secrets scanning and the CLI reference.
JavaScript / TypeScript
What xgrep detects in JavaScript and TypeScript — injection, XSS, supply-chain, auth, and crypto issues — with Express-aware taint analysis.
C#
What xgrep detects in C# / .NET — injection, XSS, deserialization, broken access control, and weak crypto — including ASP.NET and Razor.