Skip to content

Code Security Report: 12 high severity findings, 74 total findings [main] #52

Open
Open
Code Security Report: 12 high severity findings, 74 total findings [main]#52
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 17, 2025

Code Security Report

Scan Metadata

Latest Scan: 2025-09-17 07:58AM
Total Findings: 74 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 31
Detected Programming Languages: 2 (Java*, JavaScript / TypeScript*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention.

Severity
Vulnerability Type
CWE
File
Data Flows
Detected
Violated Workflows
Violation Priority
Violation SLA
High
Command Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Lines 49 to 58 in f9e0dc6

logger.info("Pinging: " + host);
try {
/* START EXAMPLE VULNERABILITY */
proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", "ping -c1 " + host });
/* END EXAMPLE VULNERABILITY */
proc.waitFor(5, TimeUnit.SECONDS);
InputStreamReader isr = new InputStreamReader(proc.getInputStream());
BufferedReader br = new BufferedReader(isr);

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 34 in f9e0dc6

public String tools(@RequestParam(value = "host", required = false) String host, @RequestParam(value = "fortunefile", required = false) String fortuneFile, Model model) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 35 in f9e0dc6

model.addAttribute("ping", host != null ? ping(host) : "");

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 45 in f9e0dc6

private String ping(String host) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 53 in f9e0dc6

proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", "ping -c1 " + host });

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 34 in f9e0dc6

public String tools(@RequestParam(value = "host", required = false) String host, @RequestParam(value = "fortunefile", required = false) String fortuneFile, Model model) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 35 in f9e0dc6

model.addAttribute("ping", host != null ? ping(host) : "");

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 45 in f9e0dc6

private String ping(String host) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 53 in f9e0dc6

proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", "ping -c1 " + host });

Secure Code Warrior Training Material
High
Command Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Lines 79 to 88 in f9e0dc6

String output = "";
Process proc;
try {
/* START EXAMPLE VULNERABILITY */
proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", cmd });
/* END EXAMPLE VULNERABILITY */
proc.waitFor(5, TimeUnit.SECONDS);
InputStreamReader isr = new InputStreamReader(proc.getInputStream());
BufferedReader br = new BufferedReader(isr);

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 34 in f9e0dc6

public String tools(@RequestParam(value = "host", required = false) String host, @RequestParam(value = "fortunefile", required = false) String fortuneFile, Model model) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 40 in f9e0dc6

model.addAttribute("fortunes", fortune(fortuneFile));

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 76 in f9e0dc6

private String fortune(String fortuneFile) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 77 in f9e0dc6

String cmd = "/bin/fortune " + fortuneFile;

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 83 in f9e0dc6

proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", cmd });

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 34 in f9e0dc6

public String tools(@RequestParam(value = "host", required = false) String host, @RequestParam(value = "fortunefile", required = false) String fortuneFile, Model model) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 40 in f9e0dc6

model.addAttribute("fortunes", fortune(fortuneFile));

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 76 in f9e0dc6

private String fortune(String fortuneFile) {

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 77 in f9e0dc6

String cmd = "/bin/fortune " + fortuneFile;

verademo/app/src/main/java/com/veracode/verademo/controller/ToolsController.java

Line 83 in f9e0dc6

proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", cmd });

Secure Code Warrior Training Material
High
SQL Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Lines 460 to 469 in f9e0dc6

connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
// Find the Blabbers
logger.info(blabbersSql);
blabberQuery = connect.prepareStatement(blabbersSql);
blabberQuery.setString(1, username);
blabberQuery.setString(2, username);
ResultSet blabbersResults = blabberQuery.executeQuery();
/* END EXAMPLE VULNERABILITY */

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 426 in f9e0dc6

public String showBlabbers(

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 450 in f9e0dc6

String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at,"

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 464 in f9e0dc6

blabberQuery = connect.prepareStatement(blabbersSql);

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 426 in f9e0dc6

public String showBlabbers(

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 450 in f9e0dc6

String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at,"

verademo/app/src/main/java/com/veracode/verademo/controller/BlabController.java

Line 464 in f9e0dc6

blabberQuery = connect.prepareStatement(blabbersSql);

Secure Code Warrior Training Material
High
SQL Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 161 to 170 in f9e0dc6

String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='"
+ username + "' and password='" + md5(password) + "';";
sqlStatement = connect.createStatement();
logger.info("Execute the Statement");
ResultSet result = sqlStatement.executeQuery(sqlQuery);
/* END EXAMPLE VULNERABILITY */
// Did we find exactly 1 user that matched?
if (result.first()) {
logger.info("User Found.");

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 130 in f9e0dc6

public String processLogin(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 161 in f9e0dc6

String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='"

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 165 in f9e0dc6

ResultSet result = sqlStatement.executeQuery(sqlQuery);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 130 in f9e0dc6

public String processLogin(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 161 in f9e0dc6

String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='"

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 165 in f9e0dc6

ResultSet result = sqlStatement.executeQuery(sqlQuery);

Secure Code Warrior Training Material
High
SQL Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 245 to 254 in f9e0dc6

String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
logger.info(sql);
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
if (result.first()) {
String password = result.getString("password_hint");
String formatString = "Username '" + username + "' has password: %.2s%s";
logger.info(formatString);
return String.format(

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 234 in f9e0dc6

public String showPasswordHint(String username) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 246 in f9e0dc6

String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 249 in f9e0dc6

ResultSet result = statement.executeQuery(sql);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 234 in f9e0dc6

public String showPasswordHint(String username) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 246 in f9e0dc6

String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 249 in f9e0dc6

ResultSet result = statement.executeQuery(sql);

Secure Code Warrior Training Material
High
SQL Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 306 to 315 in f9e0dc6

Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
String sql = "SELECT username FROM users WHERE username = '" + username + "'";
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
if (result.first()) {
model.addAttribute("error", "Username '" + username + "' already exists!");
return "register";
} else {
return "register-finish";

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 294 in f9e0dc6

public String processRegister(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 300 in f9e0dc6

Utils.setSessionUserName(httpRequest, httpResponse, username);

verademo/app/src/main/java/com/veracode/verademo/utils/Utils.java

Line 27 in f9e0dc6

public static void setSessionUserName(HttpServletRequest request, HttpServletResponse response, String value) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 300 in f9e0dc6

Utils.setSessionUserName(httpRequest, httpResponse, username);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 308 in f9e0dc6

String sql = "SELECT username FROM users WHERE username = '" + username + "'";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 310 in f9e0dc6

ResultSet result = statement.executeQuery(sql);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 294 in f9e0dc6

public String processRegister(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 300 in f9e0dc6

Utils.setSessionUserName(httpRequest, httpResponse, username);

verademo/app/src/main/java/com/veracode/verademo/utils/Utils.java

Line 27 in f9e0dc6

public static void setSessionUserName(HttpServletRequest request, HttpServletResponse response, String value) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 300 in f9e0dc6

Utils.setSessionUserName(httpRequest, httpResponse, username);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 308 in f9e0dc6

String sql = "SELECT username FROM users WHERE username = '" + username + "'";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 310 in f9e0dc6

ResultSet result = statement.executeQuery(sql);

Secure Code Warrior Training Material
High
SQL Injection
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 370 to 379 in f9e0dc6

query.append("'" + blabName + "'");
query.append(");");
sqlStatement = connect.createStatement();
sqlStatement.execute(query.toString());
logger.info(query.toString());
/* END EXAMPLE VULNERABILITY */
emailUser(username);
} catch (SQLException | ClassNotFoundException ex) {

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 332 in f9e0dc6

public String processRegisterFinish(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 370 in f9e0dc6

query.append("'" + blabName + "'");

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 374 in f9e0dc6

sqlStatement.execute(query.toString());

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 332 in f9e0dc6

public String processRegisterFinish(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 370 in f9e0dc6

query.append("'" + blabName + "'");

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 374 in f9e0dc6

sqlStatement.execute(query.toString());

Secure Code Warrior Training Material
High
Path/Directory Traversal
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 663 to 672 in f9e0dc6

InputStream inputStream = null;
OutputStream outStream = null;
try {
File downloadFile = new File(path);
inputStream = new FileInputStream(downloadFile);
// get MIME type of the file
String mimeType = context.getMimeType(path);
if (mimeType == null) {
// set to binary type if MIME mapping not found

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 643 in f9e0dc6

public String downloadImage(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 659 in f9e0dc6

String path = context.getRealPath("/resources/images") + File.separator + imageName;

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 666 in f9e0dc6

File downloadFile = new File(path);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 667 in f9e0dc6

inputStream = new FileInputStream(downloadFile);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 643 in f9e0dc6

public String downloadImage(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 659 in f9e0dc6

String path = context.getRealPath("/resources/images") + File.separator + imageName;

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 666 in f9e0dc6

File downloadFile = new File(path);

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 667 in f9e0dc6

inputStream = new FileInputStream(downloadFile);

Secure Code Warrior Training Material
High
Unsafe Format String
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 250 to 259 in f9e0dc6

if (result.first()) {
String password = result.getString("password_hint");
String formatString = "Username '" + username + "' has password: %.2s%s";
logger.info(formatString);
return String.format(
formatString,
password,
String.format("%0" + (password.length() - 2) + "d", 0).replace("0", "*"));
} else {
return "No password found for " + username;

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 234 in f9e0dc6

public String showPasswordHint(String username) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 252 in f9e0dc6

String formatString = "Username '" + username + "' has password: %.2s%s";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 254 in f9e0dc6

return String.format(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 234 in f9e0dc6

public String showPasswordHint(String username) {

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 252 in f9e0dc6

String formatString = "Username '" + username + "' has password: %.2s%s";

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 254 in f9e0dc6

return String.format(

Secure Code Warrior Training Material
High
Path/Directory Traversal
1
2025-09-17 07:59AM
Code Test
HIGH
2025-10-17
Vulnerable Code

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Lines 625 to 634 in f9e0dc6

String path = imageDir + username + extension;
logger.info("Saving new profile image: " + path);
file.transferTo(new File(path)); // will delete any existing file first
} catch (IllegalStateException | IOException ex) {
logger.error(ex);
}
}

Data Flows (1 detected)

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 524 in f9e0dc6

public String processProfile(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 624 in f9e0dc6

String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 625 in f9e0dc6

String path = imageDir + username + extension;

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 629 in f9e0dc6

file.transferTo(new File(path)); // will delete any existing file first

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 524 in f9e0dc6

public String processProfile(

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 624 in f9e0dc6

String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 625 in f9e0dc6

String path = imageDir + username + extension;

verademo/app/src/main/java/com/veracode/verademo/controller/UserController.java

Line 629 in f9e0dc6

file.transferTo(new File(path)); // will delete any existing file first

Secure Code Warrior Training Material

Findings Overview

Severity Vulnerability Type CWE Language Count
High SQL Injection CWE-89 Java* 5
High Path/Directory Traversal CWE-22 Java* 3
High Command Injection CWE-78 Java* 2
High Cross-Site Scripting CWE-79 Java* 1
High Unsafe Format String CWE-134 Java* 1
Medium Error Messages Information Exposure CWE-209 Java* 9
Medium Unsafe Reflection CWE-470 Java* 1
Medium Trust Boundary Violation CWE-501 Java* 1
Low Log Forging CWE-117 Java* 22
Low System Properties Disclosure CWE-497 Java* 21
Low Unvalidated/Open Redirect CWE-601 Java* 3
Low HTTP Header Injection CWE-113 Java* 2
Low Weak Hash Strength CWE-328 Java* 2
Low Cookie Without 'HttpOnly' Flag CWE-1004 Java* 1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions