Code Security Report

Scan Metadata

Latest Scan: 2024-09-25 12:58am Total Findings: 27 | New Findings: 0 | Resolved Findings: 0 Tested Project Files: 109 Detected Programming Languages: 2 (Java*, JavaScript / TypeScript*)

[ ] Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Automatic Remediation Available (7)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	SQL Injection	[CWE-89](https://cwe.mitre.org/data/definitions/89.html)	[SQLInjectionServlet.java:69](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L69)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L64-L69 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L27 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L45 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L60 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L69 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/8d91c4b98e1e3cccd092be3aa2c53e47340a7430/diffs/e888cd0a-5668-4f98-b39e-a17fbc7778e6/SQLInjectionServlet.java.diff#L1-L102 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[NullByteInjectionServlet.java:47](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L47)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L42-L47 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L35 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L40 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L46 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L47 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/4bdd9c8e0597e31a56dd44c35b036da35026faba/diffs/9748c28f-db9d-4c16-905c-cfb096ea653d/NullByteInjectionServlet.java.diff#L1-L87 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Cross-Site Scripting	[CWE-79](https://cwe.mitre.org/data/definitions/79.html)	[AbstractServlet.java:94](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94)	12	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L89-L94 12 Data Flow/s detected View Data Flow 1 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L70 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L91 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L98 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94 View Data Flow 2 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java#L22 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java#L34 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java#L47 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94 View Data Flow 3 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java#L24 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java#L46 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java#L45 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java#L68 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94 [View more Data Flows](https://saas.mend.io/app/orgs/GarySegal-Mend-Demo/scans/4131d45a-813b-49fc-9644-4da696f0e7fb/sast?project=7ba5b522-7f1d-4efb-ba45-c16b4f644df1&findingSnapshotId=fbe1101b-d1bd-43b6-9ad5-a9ee7eaabeac&filtered=yes) :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/54325309d66bbc39508f62d8e29ee059212ac202/diffs/55c0fa8d-90c7-45c6-8513-8cad5dc420a1/AbstractServlet.java.diff#L1-L198 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Cross-Site Scripting Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/xss/reflected/java/vanilla) ● Videos ▪ [Secure Code Warrior Cross-Site Scripting Video](https://media.securecodewarrior.com/v2/module_73_reflected_cross_site_scripting.mp4)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[UnrestrictedExtensionUploadServlet.java:135](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L135)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L130-L135 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L69 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L84 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L106 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L135 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/f2d0b9640e7973f6e0889e0807d06d8b5d9ca5d8/diffs/002681b3-3f29-4124-8e9b-8631ab5cef33/UnrestrictedExtensionUploadServlet.java.diff#L1-L161 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[UnrestrictedExtensionUploadServlet.java:110](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L110)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L105-L110 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L69 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L84 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L106 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L110 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/c70cbf32e1603e58a186e224a8dc474288e0083b/diffs/c1dd646b-ded9-42f1-879d-9d21b8013c9f/UnrestrictedExtensionUploadServlet.java.diff#L1-L164 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[MultiPartFileUtils.java:33](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33)	3	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28-L33 3 Data Flow/s detected View Data Flow 1 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L70 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L80 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33 View Data Flow 2 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L141 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L148 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L148 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L157 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33 View Data Flow 3 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L69 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L81 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/364bd1938da42b4b1efa2b7a17ce5c4fedec47d1/diffs/4017e0c9-5788-43ce-aa9a-0cd81f8a9d89/MultiPartFileUtils.java.diff#L1-L77 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[MailHeaderInjectionServlet.java:138](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L138)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L133-L138 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L125 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L127 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L127 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L133 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L138 :rescue_worker_helmet: Remediation Suggestion https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/0dbc78c2b12ff9df8b7b8df72747d6378021c640/diffs/cbdb8ed3-d171-4ab3-925b-826c55c6fbcd/MailHeaderInjectionServlet.java.diff#L1-L186 - [ ] Create pull request into master Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

No Automatic Remediation (3)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Expression Language Injection	[CWE-917](https://cwe.mitre.org/data/definitions/917.html)	[OGNLExpressionInjectionServlet.java:35](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L35)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L30-L35 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L31 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L34 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L35 Secure Code Warrior Training Material ● Further Reading ▪ [OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs) ▪ [OWASP Injection Prevention Cheat Sheet in Java](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) ▪ [OWASP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html) ▪ [OWASP Top Ten 2021 A03: Injection](https://owasp.org/Top10/A03_2021-Injection/)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[CodeInjectionServlet.java:65](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L65)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L60-L65 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L25 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L44 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L45 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L46 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L47 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L61 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L65 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/java/vanilla) ● Videos ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection) ▪ [SEI CERT Oracle Coding Standard for Java - Prevent Code Injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection)

High	Server Side Request Forgery	[CWE-918](https://cwe.mitre.org/data/definitions/918.html)	[NetworkSocketLeakServlet.java:34](https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L34)	1	2024-08-18 03:35am
Vulnerable Code https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L29-L34 1 Data Flow/s detected https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L27 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L31 https://github.com/GarySegal-Mend-Demo/Java-Demo/blob/da401aef62bf7461fcfb32c2edec5767948efb0a/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L34 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Server Side Request Forgery Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/ssrf/generic/java/vanilla) ● Videos ▪ [Secure Code Warrior Server Side Request Forgery Video](https://media.securecodewarrior.com/v2/module_125_server_side_request_forgery.mp4)

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Path/Directory Traversal	CWE-22	Java*	7
High	Code Injection	CWE-94	Java*	1
High	Expression Language Injection	CWE-917	Java*	1
High	Cross-Site Scripting	CWE-79	Java*	1
High	SQL Injection	CWE-89	Java*	1
High	Server Side Request Forgery	CWE-918	Java*	1
Medium	Insufficient Transport Layer Protection	CWE-319	Java*	1
Medium	XML External Entity (XXE) Injection	CWE-611	Java*	1
Medium	Trust Boundary Violation	CWE-501	Java*	5
Medium	Error Messages Information Exposure	CWE-209	Java*	1
Medium	Readline Denial of Service	CWE-400	Java*	1
Low	Unvalidated/Open Redirect	CWE-601	Java*	4
Low	Log Forging	CWE-117	Java*	1
Low	HTTP Header Injection	CWE-113	Java*	1

GarySegal-Mend-Demo / Java-Demo

Code Security Report: 12 high severity findings, 27 total findings #24