Code Security Report: 25 high severity findings, 33 total findings

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2024-11-01 02:40pm
Total Findings: 33 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 425
Detected Programming Languages: 2 (Java*, JavaScript / TypeScript*)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	SQL Injection	CWE-89	SqlInjectionLesson6a.java:74	3	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Lines 69 to 74 in b4e2b56 usedUnion = false; } try (Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) { ResultSet results = statement.executeQuery(query); 3 Data Flow/s detected View Data Flow 1 MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java Line 47 in b4e2b56 public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java Line 51 in b4e2b56 AttackResult attackResult = lesson6a.injectableQuery(userId); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 62 in b4e2b56 public AttackResult injectableQuery(String accountName) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 66 in b4e2b56 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 74 in b4e2b56 ResultSet results = statement.executeQuery(query); View Data Flow 2 MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 56 in b4e2b56 public AttackResult completed(@RequestParam(value = "userid_6a") String userId) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 57 in b4e2b56 return injectableQuery(userId); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 62 in b4e2b56 public AttackResult injectableQuery(String accountName) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 66 in b4e2b56 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 74 in b4e2b56 ResultSet results = statement.executeQuery(query); View Data Flow 3 MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java Line 51 in b4e2b56 public AttackResult attack( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java Line 53 in b4e2b56 userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", ""); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java Line 57 in b4e2b56 AttackResult attackResult = lesson6a.injectableQuery(userId); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 62 in b4e2b56 public AttackResult injectableQuery(String accountName) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 66 in b4e2b56 query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java Line 74 in b4e2b56 ResultSet results = statement.executeQuery(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson10.java:71	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Lines 66 to 71 in b4e2b56 try (Connection connection = dataSource.getConnection()) { try { Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Line 58 in b4e2b56 public AttackResult completed(@RequestParam String action_string) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Line 59 in b4e2b56 return injectableQueryAvailability(action_string); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Line 62 in b4e2b56 protected AttackResult injectableQueryAvailability(String action) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Line 64 in b4e2b56 String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java Line 71 in b4e2b56 ResultSet results = statement.executeQuery(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson5.java:80	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java Lines 75 to 80 in b4e2b56 protected AttackResult injectableQuery(String query) { try (Connection connection = dataSource.getConnection()) { try (Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { statement.executeQuery(query); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java Line 70 in b4e2b56 public AttackResult completed(String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java Line 72 in b4e2b56 return injectableQuery(query); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java Line 75 in b4e2b56 protected AttackResult injectableQuery(String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java Line 80 in b4e2b56 statement.executeQuery(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	Servers.java:72	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java Lines 67 to 72 in b4e2b56 public List<Server> sort(@RequestParam String column) throws Exception { List<Server> servers = new ArrayList<>(); try (var connection = dataSource.getConnection()) { try (var statement = connection.prepareStatement( 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java Line 67 in b4e2b56 public List<Server> sort(@RequestParam String column) throws Exception { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java Line 73 in b4e2b56 "select id, hostname, ip, mac, status, description from SERVERS where status <> 'out" MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java Line 72 in b4e2b56 connection.prepareStatement( Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson3.java:63	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java Lines 58 to 63 in b4e2b56 try (Connection connection = dataSource.getConnection()) { try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { Statement checkStatement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY); statement.executeUpdate(query); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java Line 53 in b4e2b56 public AttackResult completed(@RequestParam String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java Line 54 in b4e2b56 return injectableQuery(query); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java Line 57 in b4e2b56 protected AttackResult injectableQuery(String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java Line 63 in b4e2b56 statement.executeUpdate(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson4.java:62	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java Lines 57 to 62 in b4e2b56 protected AttackResult injectableQuery(String query) { try (Connection connection = dataSource.getConnection()) { try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { statement.executeUpdate(query); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java Line 54 in b4e2b56 public AttackResult completed(@RequestParam String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java Line 55 in b4e2b56 return injectableQuery(query); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java Line 58 in b4e2b56 protected AttackResult injectableQuery(String query) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java Line 62 in b4e2b56 statement.executeUpdate(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionChallenge.java:69	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java Lines 64 to 69 in b4e2b56 try (Connection connection = dataSource.getConnection()) { String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(checkUserQuery); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java Line 56 in b4e2b56 public AttackResult registerNewUser( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java Line 67 in b4e2b56 "select userid from sql_challenge_users where userid = '" + username_reg + "'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java Line 69 in b4e2b56 ResultSet resultSet = statement.executeQuery(checkUserQuery); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	Assignment5.java:60	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java Lines 55 to 60 in b4e2b56 if (!"Larry".equals(username_login)) { return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); } try (var connection = dataSource.getConnection()) { PreparedStatement statement = connection.prepareStatement( 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java Line 50 in b4e2b56 public AttackResult login( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java Line 61 in b4e2b56 "select password from challenge_users where userid = '" MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java Line 60 in b4e2b56 connection.prepareStatement( Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson5a.java:67	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Lines 62 to 67 in b4e2b56 query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; try (Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { ResultSet results = statement.executeQuery(query); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Line 54 in b4e2b56 public AttackResult completed( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Line 56 in b4e2b56 return injectableQuery(account + " " + operator + " " + injection); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Line 59 in b4e2b56 protected AttackResult injectableQuery(String accountName) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Line 63 in b4e2b56 "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java Line 67 in b4e2b56 ResultSet results = statement.executeQuery(query); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet
High	SQL Injection	CWE-89	SqlInjectionLesson5b.java:86	1	2024-05-29 07:16pm
Vulnerable Code MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Lines 81 to 86 in b4e2b56 query.setInt(1, count); // String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid // = " + accountName, ; try { ResultSet results = query.executeQuery(); 1 Data Flow/s detected MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 55 in b4e2b56 public AttackResult completed( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 58 in b4e2b56 return injectableQuery(login_count, userid); MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 61 in b4e2b56 protected AttackResult injectableQuery(String login_count, String accountName) { MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 62 in b4e2b56 String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 65 in b4e2b56 connection.prepareStatement( MyDemoCorp/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java Line 86 in b4e2b56 ResultSet results = query.executeQuery(); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior SQL Injection Training ● Videos    ▪ Secure Code Warrior SQL Injection Video ● Further Reading    ▪ OWASP SQL Injection Prevention Cheat Sheet    ▪ OWASP SQL Injection    ▪ OWASP Query Parameterization Cheat Sheet

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	SQL Injection	CWE-89	Java*	14
High	Deserialization of Untrusted Data	CWE-502	Java*	2
High	Path/Directory Traversal	CWE-22	Java*	7
High	Server Side Request Forgery	CWE-918	Java*	2
Medium	XML External Entity (XXE) Injection	CWE-611	Java*	1
Medium	Error Messages Information Exposure	CWE-209	Java*	4
Low	System Properties Disclosure	CWE-497	Java*	1
Low	Weak Hash Strength	CWE-328	Java*	1
Low	Log Forging	CWE-117	Java*	1