Code Security Report

Scan Metadata

Latest Scan: 2024-08-30 09:32pm Total Findings: 35 | New Findings: 0 | Resolved Findings: 0 Tested Project Files: 246 Detected Programming Languages: 2 (JavaScript / TypeScript*, Python)

[ ] Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[views.py:374](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L374)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L369-L374 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L363 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L364 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L368 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L374 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[mitre.py:230](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L230)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L225-L230 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L237 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L238 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L229 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L230 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	SQL Injection	[CWE-89](https://cwe.mitre.org/data/definitions/89.html)	[views.py:803](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L803)	2	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L798-L803 2 Data Flow/s detected View Data Flow 1 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L783 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L789 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L803 View Data Flow 2 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L784 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L789 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L803 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/python/vanilla) ● Videos ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html) ▪ [Preventing SQL Injection Attacks With Python](https://realpython.com/prevent-python-sql-injection/)

High	SQL Injection	[CWE-89](https://cwe.mitre.org/data/definitions/89.html)	[views.py:112](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L112)	2	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L107-L112 2 Data Flow/s detected View Data Flow 1 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L100 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L108 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L112 View Data Flow 2 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L102 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L108 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L112 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/python/vanilla) ● Videos ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html) ▪ [Preventing SQL Injection Attacks With Python](https://realpython.com/prevent-python-sql-injection/)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[views.py:513](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L513)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L508-L513 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L508 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/python/vanilla) ● Videos ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[mitre.py:215](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L215)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L210-L215 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/mitre.py#L214 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/python/vanilla) ● Videos ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[a9_lab2.html:58](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/A9/a9_lab2.html#L58)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/A9/a9_lab2.html#L53-L58 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/A9/a9_lab2.html#L54 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/python/vanilla) ● Videos ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[views.py:509](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L509)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L504-L509 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L507 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/python/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[views.py:852](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L852)	2	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L847-L852 2 Data Flow/s detected View Data Flow 1 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L848 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L851 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L852 View Data Flow 2 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/apis.py#L22 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/utility.py#L40 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/utility.py#L41 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/utility.py#L46 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/utility.py#L47 [View remaining steps](https://saas.whitesourcesoftware.com/app/orgs/Bens%20Org/scans/7d43b882-a09c-4dc0-ae4e-9d3a77f9e7eb/sast?project=6b1ca1c2-a531-4d88-9cf0-3337265addff&findingSnapshotId=e34b0932-67ab-49cf-993b-c1b43a5af701&filtered=yes) https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/apis.py#L32 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L843 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L848 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L851 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/views.py#L852 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/python/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[ssrf_lab.html:57](https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/ssrf/ssrf_lab.html#L57)	1	2024-08-30 05:24pm
Vulnerable Code https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/ssrf/ssrf_lab.html#L52-L57 1 Data Flow/s detected https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/ssrf/ssrf_lab.html#L53 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/ssrf/ssrf_lab.html#L56 https://github.com/GHCbflam1/pygoat/blob/affedb71685ac183ffee2266c620d9b033f6311a/pygoat/introduction/templates/Lab/ssrf/ssrf_lab.html#L57 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/python/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Code Injection	CWE-94	Python	3
High	Cross-Site Scripting	CWE-79	Python	3
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / TypeScript*	1
High	SQL Injection	CWE-89	Python	2
High	Path/Directory Traversal	CWE-22	Python	4
High	Command Injection	CWE-78	Python	2
Medium	Hardcoded Password/Credentials	CWE-798	Python	8
Medium	Hidden HTML Input	CWE-472	Python	8
Low	Weak Hash Strength	CWE-916	Python	4

GHCbflam1 / pygoat

Code Security Report: 15 high severity findings, 35 total findings #140

Code Security Report

Scan Metadata

Most Relevant Findings

Findings Overview