Skip to content

Code Security Report: 3 findings [master] #24

Open
Open
Code Security Report: 3 findings [master]#24
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 17, 2025

Code Security Report

Scan Metadata

Latest Scan: 2025-09-17 07:56AM
Total Findings: 3 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 212
Detected Programming Languages: 1 (Java*)

Most Relevant Findings

The list below presents the 3 most relevant findings that need your attention.

Severity
Vulnerability Type
CWE
File
Data Flows
Detected
Low
Log Forging
19
2025-09-17 07:56AM
Vulnerable Code

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Lines 169 to 178 in 93bf6c8

map.put(Fields.MESSAGE, e.getMessage());
currentSpan.log(map);
String traceId = currentSpan.context().toTraceId();
message = String.format("[%s] failed with error:[%s] (TraceId: [%s])", label, e.getMessage(), traceId);
LOGGER.error(message);
}
else
{
message = String.format("[%s] failed with error:[%s])", label, e.getMessage());
LOGGER.error(message);

Data Flows (19 detected)
Data Flow #1

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 55 in 93bf6c8

public List<String> getRepositoryVersions(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 58 in 93bf6c8

return handle(ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS, ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS + groupId + artifactId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 172 in 93bf6c8

message = String.format("[%s] failed with error:[%s] (TraceId: [%s])", label, e.getMessage(), traceId);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 173 in 93bf6c8

LOGGER.error(message);

Data Flow #2

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 75 in 93bf6c8

public Optional<String> getRepositoryVersion(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 79 in 93bf6c8

return handle(ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS, ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS + groupId + artifactId + versionId, () ->

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 172 in 93bf6c8

message = String.format("[%s] failed with error:[%s] (TraceId: [%s])", label, e.getMessage(), traceId);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 173 in 93bf6c8

LOGGER.error(message);

Data Flow #3

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 65 in 93bf6c8

public MetadataEventResponse updateProjectVersion(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 71 in 93bf6c8

return handle(ResourceLoggingAndTracing.UPDATE_VERSION, ResourceLoggingAndTracing.UPDATE_VERSION + groupId + artifactId + versionId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 172 in 93bf6c8

message = String.format("[%s] failed with error:[%s] (TraceId: [%s])", label, e.getMessage(), traceId);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 173 in 93bf6c8

LOGGER.error(message);

View more Data Flows

Secure Code Warrior Training Material
Low
Log Forging
19
2025-09-17 07:56AM
Vulnerable Code

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Lines 174 to 183 in 93bf6c8

}
else
{
message = String.format("[%s] failed with error:[%s])", label, e.getMessage());
LOGGER.error(message);
LOGGER.error("{} ( TraceId: current span not found)",message);
}
throw new TracingException(message, e);
}
finally

Data Flows (19 detected)
Data Flow #1

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 55 in 93bf6c8

public List<String> getRepositoryVersions(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 58 in 93bf6c8

return handle(ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS, ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS + groupId + artifactId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

Data Flow #2

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 65 in 93bf6c8

public MetadataEventResponse updateProjectVersion(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 71 in 93bf6c8

return handle(ResourceLoggingAndTracing.UPDATE_VERSION, ResourceLoggingAndTracing.UPDATE_VERSION + groupId + artifactId + versionId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

Data Flow #3

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 79 in 93bf6c8

public MetadataEventResponse updateProjectMaster(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 85 in 93bf6c8

return handle(ResourceLoggingAndTracing.UPDATE_LATEST_PROJECT_REVISION, ResourceLoggingAndTracing.UPDATE_LATEST_PROJECT_REVISION + groupId + artifactId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

View more Data Flows

Secure Code Warrior Training Material
Low
Log Forging
19
2025-09-17 07:56AM
Vulnerable Code

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Lines 175 to 184 in 93bf6c8

else
{
message = String.format("[%s] failed with error:[%s])", label, e.getMessage());
LOGGER.error(message);
LOGGER.error("{} ( TraceId: current span not found)",message);
}
throw new TracingException(message, e);
}
finally
{

Data Flows (19 detected)
Data Flow #1

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 55 in 93bf6c8

public List<String> getRepositoryVersions(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 58 in 93bf6c8

return handle(ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS, ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS + groupId + artifactId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 179 in 93bf6c8

LOGGER.error("{} ( TraceId: current span not found)",message);

Data Flow #2

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 75 in 93bf6c8

public Optional<String> getRepositoryVersion(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-repository-api/src/main/java/org/finos/legend/depot/artifacts/repository/resources/RepositoryResource.java

Line 79 in 93bf6c8

return handle(ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS, ResourceLoggingAndTracing.REPOSITORY_PROJECT_VERSIONS + groupId + artifactId + versionId, () ->

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 179 in 93bf6c8

LOGGER.error("{} ( TraceId: current span not found)",message);

Data Flow #3

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 65 in 93bf6c8

public MetadataEventResponse updateProjectVersion(@PathParam("groupId") String groupId,

legend-depot/legend-depot-artifacts-refresh/src/main/java/org/finos/legend/depot/store/artifacts/resources/ArtifactsRefreshResource.java

Line 71 in 93bf6c8

return handle(ResourceLoggingAndTracing.UPDATE_VERSION, ResourceLoggingAndTracing.UPDATE_VERSION + groupId + artifactId + versionId,

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 88 in 93bf6c8

protected <T> T handle(String resourceAPIMetricName, String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/resources/BaseResource.java

Line 92 in 93bf6c8

return TracerFactory.get().executeWithTrace(label, () -> handleWithLogging(resourceAPIMetricName, label, supplier));

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 151 in 93bf6c8

public <T> T executeWithTrace(String label, Supplier<T> supplier)

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 177 in 93bf6c8

message = String.format("[%s] failed with error:[%s])", label, e.getMessage());

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 178 in 93bf6c8

LOGGER.error(message);

legend-depot/legend-depot-core-tracing/src/main/java/org/finos/legend/depot/tracing/services/TracerFactory.java

Line 179 in 93bf6c8

LOGGER.error("{} ( TraceId: current span not found)",message);

View more Data Flows

Secure Code Warrior Training Material

Findings Overview

Severity Vulnerability Type CWE Language Count
Low Log Forging CWE-117 Java* 3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions