Code Security Report: 1 high severity findings, 4 total findings [master]

# Code Security Report


### Scan Metadata

**Latest Scan:** 2025-06-29 11:47am
**Total Findings:** 4 | **New Findings:** 0 | **Resolved Findings:** 0
**Tested Project Files:** 70
**Detected Programming Languages:** 1 (JavaScript / TypeScript\*)

- [ ] Check this box to manually trigger a scan 



### Finding Details
<table role='table'><thead><tr><th>Severity</th><th>Vulnerability Type</th><th>CWE</th><th>File</th><th>Data Flows</th><th>Detected</th></tr></thead><tbody><tr><td><a href='#'><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20></a> High</td><td>Command Injection</td><td>

[CWE-78](https://cwe.mitre.org/data/definitions/78.html)

</td><td>

[Gruntfile.js:157](https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L157)

</td><td>1</td><td>2025-06-29 11:47am</td></tr><tr><td colspan='6'><details><summary><a href='#'><img src='https://saas.mend.io/sast/favicon.png' width=15 height=15></a> Vulnerable Code</summary>

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L152-L157

<details>
<summary>1 Data Flow/s detected</summary></br>


https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L151

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L155

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L158

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/Gruntfile.js#L157

</details>
</details>

<details>

<summary><a href='#'><img src='https://integration-api.securecodewarrior.com/explorer/favicon-32x32.png' width=15 height=15></a> Secure Code Warrior Training Material</summary>

● Training

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/nodejs/express)

● Videos

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/v2/OS_Command_Injections_v2.mp4)

● Further Reading

&nbsp;&nbsp;&nbsp;▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013))

&nbsp;&nbsp;&nbsp;▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

</details>


<details><summary>:black_flag: Suppress Finding</summary>

- [ ] ... as False Alarm
- [ ] ... as Acceptable Risk

</details>


</td></tr><tr><td colspan='6'>&nbsp;</td></tr>

<tr><td><a href='#'><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20></a> Medium</td><td>Hardcoded Password/Credentials</td><td>

[CWE-798](https://cwe.mitre.org/data/definitions/798.html)

</td><td>

[profile-test.js:25](https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/test/security/profile-test.js#L25)

</td><td>4</td><td>2025-06-29 11:47am</td></tr><tr><td colspan='6'><details><summary><a href='#'><img src='https://saas.mend.io/sast/favicon.png' width=15 height=15></a> Vulnerable Code</summary>

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/test/security/profile-test.js#L25

</details>

<details>

<summary><a href='#'><img src='https://integration-api.securecodewarrior.com/explorer/favicon-32x32.png' width=15 height=15></a> Secure Code Warrior Training Material</summary>

● Training

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Hardcoded Password/Credentials Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/auth/credentialexp/nodejs/express)

● Videos

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Hardcoded Password/Credentials Video](https://media.securecodewarrior.com/v2/module_198_insufficiently_protected_credentials.mp4)

</details>


<details><summary>:black_flag: Suppress Finding</summary>

- [ ] ... as False Alarm
- [ ] ... as Acceptable Risk

</details>


</td></tr><tr><td colspan='6'>&nbsp;</td></tr>

<tr><td><a href='#'><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20></a> Medium</td><td>Hardcoded Password/Credentials</td><td>

[CWE-798](https://cwe.mitre.org/data/definitions/798.html)

</td><td>

[profile-test.js:37](https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/test/security/profile-test.js#L37)

</td><td>1</td><td>2025-06-29 11:47am</td></tr><tr><td colspan='6'><details><summary><a href='#'><img src='https://saas.mend.io/sast/favicon.png' width=15 height=15></a> Vulnerable Code</summary>

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/test/security/profile-test.js#L37

</details>

<details>

<summary><a href='#'><img src='https://integration-api.securecodewarrior.com/explorer/favicon-32x32.png' width=15 height=15></a> Secure Code Warrior Training Material</summary>

● Training

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Hardcoded Password/Credentials Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/auth/credentialexp/nodejs/express)

● Videos

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Hardcoded Password/Credentials Video](https://media.securecodewarrior.com/v2/module_198_insufficiently_protected_credentials.mp4)

</details>


<details><summary>:black_flag: Suppress Finding</summary>

- [ ] ... as False Alarm
- [ ] ... as Acceptable Risk

</details>


</td></tr><tr><td colspan='6'>&nbsp;</td></tr>

<tr><td><a href='#'><img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20></a> Low</td><td>Sensitive Cookie Without Secure</td><td>

[CWE-614](https://cwe.mitre.org/data/definitions/614.html)

</td><td>

[server.js:78](https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/server.js#L78)

</td><td>1</td><td>2025-06-29 11:47am</td></tr><tr><td colspan='6'><details><summary><a href='#'><img src='https://saas.mend.io/sast/favicon.png' width=15 height=15></a> Vulnerable Code</summary>

https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/server.js#L73-L78

<details>
<summary>1 Data Flow/s detected</summary></br>


https://github.com/VandelaySecurity/NodeGoat/blob/44c6716f2fee31be7d95ce12b781fa3ec26e4f37/server.js#L78

</details>
</details>

<details>

<summary><a href='#'><img src='https://integration-api.securecodewarrior.com/explorer/favicon-32x32.png' width=15 height=15></a> Secure Code Warrior Training Material</summary>

● Training

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Sensitive Cookie Without Secure Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/misconfig/securityfeatures/nodejs/express)

● Videos

&nbsp;&nbsp;&nbsp;▪ [Secure Code Warrior Sensitive Cookie Without Secure Video](https://media.securecodewarrior.com/v2/module_132_disabled_security_features.mp4)

</details>


<details><summary>:black_flag: Suppress Finding</summary>

- [ ] ... as False Alarm
- [ ] ... as Acceptable Risk

</details>


</td></tr></tbody></table>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Code Security Report: 1 high severity findings, 4 total findings [master] #69

Code Security Report

Scan Metadata

Finding Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Code Security Report: 1 high severity findings, 4 total findings [master] #69

Description

Code Security Report

Scan Metadata

Finding Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions