search

SharonKoch / AltoroJ_Demo

WARNING: This app contains security vulnerabilities. AltoroJ is a sample banking J2EE web application. It shows what happens when web applications are written with consideration of app functionality but not app security. It's a simple and uncluttered platform for demonstrating and learning more about real-life application security issues.
Apache License 2.0
1 stars 0 forks source link

Code Security Report: 24 high severity findings, 41 total findings #12

Open mend-for-github-com[bot] opened 11 months ago

mend-for-github-com[bot] commented 11 months ago

Code Security Report

Scan Metadata

Latest Scan: 2024-04-30 04:19am Total Findings: 41 | New Findings: 41 | Resolved Findings: 41 Tested Project Files: 135 Detected Programming Languages: 2 (JavaScript / Node.js, Java*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Automatic Remediation Available (6)

SeverityVulnerability TypeCWEFileData FlowsDate
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:219](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L219) 32024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L214-L219
3 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java#L47 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/CCApplyServlet.java#L51 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L212 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L219
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L79 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L80 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L82 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L212 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L219
View Data Flow 3 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java#L31 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java#L35 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java#L52 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/LoginAPI.java#L57 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L212 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L219
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/d1e3d30bda8ab89961657cf0f47c799152ab0f93/diffs/dcbd2153-75ca-4447-a84a-c5c6b350e785/DBUtil.java.diff#L1-L549 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:519](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L519) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L514-L519
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/FeedbackServlet.java#L49 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/FeedbackServlet.java#L57 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L119 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L127 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L515 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L519
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/FeedbackAPI.java#L25 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/FeedbackAPI.java#L32 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/FeedbackAPI.java#L44 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/FeedbackAPI.java#L54 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L119 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L127 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L515 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L519
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/5b2ed23474b86d84bbb6b355cb0962b39c1c13b8/diffs/c551f38a-ff75-4798-96f8-dae0f2575c2c/DBUtil.java.diff#L1-L549 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:494](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L494) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L489-L494
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L57 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L80 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L490 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L494
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L67 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L80 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L84 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L103 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L490 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L494
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/b84733da4613a23d484536881bae2e3664b18a8f/diffs/d042f4f1-28e2-4e71-9faa-ac0fd6b02ab7/DBUtil.java.diff#L1-L564 - [ ] Create Pull Request https://github.com/SharonKoch/AltoroJ_Demo/blob/a61a80b0785579086d21f9d81d2e6642a7c8fb59/diffs/b8db8f84-fba0-4022-ba0e-962053c8095e/DBUtil.java.diff#L1-L542 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:506](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L506) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L501-L506
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L91 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L103 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L502 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L506
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L22 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L32 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L35 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java#L56 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L502 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L506
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/67038046502a1e14e349ec3c47774ac45a422654/diffs/c72637f3-892e-46c7-b1c1-e29333299620/DBUtil.java.diff#L1-L572 - [ ] Create Pull Request https://github.com/SharonKoch/AltoroJ_Demo/blob/da157194230c379d2d1d8fb66db9cb17672b4895/diffs/eae23c9e-54c0-46bc-be11-b9112f9d271a/DBUtil.java.diff#L1-L541 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:471](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L471) 12024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L466-L471
1 Data Flow/s detected
https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L45 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java#L49 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L467 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L471
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/aeee3cba7f058732254a61237fa63bdb2c74580d/diffs/59963c29-d80e-4c5c-bb6c-408de0ece98b/DBUtil.java.diff#L1-L557 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:242](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L242) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L237-L242
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L75 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L94 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java#L340 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java#L342 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L236 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L242
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L136 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L139 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L140 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L141 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L142 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L236 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L242
:rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/AltoroJ_Demo/blob/baaff83164a09da1bf44a720ea3b80bd698af6f5/diffs/5fae787a-9055-4357-8816-b19a686263cb/DBUtil.java.diff#L1-L547 - [ ] Create Pull Request
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)

No Automatic Remediation (4)

SeverityVulnerability TypeCWEFileData FlowsDate
HighCommand Injection [CWE-78](https://cwe.mitre.org/data/definitions/78.html) [index.jsp:65](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L65) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L60-L65
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L34 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L56 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L65
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L38 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L62 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/index.jsp#L65
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/java/vanilla) ● Videos    ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading    ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013))    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [serverStatusCheck.html:41](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/util/serverStatusCheck.html#L41) 12024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/util/serverStatusCheck.html#L36-L41
1 Data Flow/s detected
https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/util/serverStatusCheck.html#L41
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:403](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L403) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L398-L403
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/bank/transaction.jsp#L41 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/WebContent/bank/transaction.jsp#L47 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L101 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L104 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L370 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L396 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L399 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L403
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java#L144 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java#L157 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java#L159 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/api/AccountAPI.java#L171 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L101 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L104 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L370 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L396 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L399 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L403
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [DBUtil.java:276](https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L276) 22024-04-30 04:20am
Vulnerable Code https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L271-L276
2 Data Flow/s detected
View Data Flow 1 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L75 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java#L94 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java#L340 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java#L342 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L236 [View remaining steps](https://saas.whitesourcesoftware.com/app/orgs/SAST%20Code%20Repo%20Demo/scans/69a77b7b-fff3-462f-94b6-80a9aa83b8f4/sast?project=13cfcd9d-3362-4278-ae75-d773a4c43eeb&findingSnapshotId=bd3cae2e-c223-4cbf-8dde-07959229de6f&filtered=yes) https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java#L343 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L76 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L78 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L270 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L276
View Data Flow 2 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L136 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L139 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L140 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L141 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java#L142 [View remaining steps](https://saas.whitesourcesoftware.com/app/orgs/SAST%20Code%20Repo%20Demo/scans/69a77b7b-fff3-462f-94b6-80a9aa83b8f4/sast?project=13cfcd9d-3362-4278-ae75-d773a4c43eeb&findingSnapshotId=bd3cae2e-c223-4cbf-8dde-07959229de6f&filtered=yes) https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L86 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L76 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/model/User.java#L78 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L270 https://github.com/SharonKoch/AltoroJ_Demo/blob/26d8298c96fa7f921514afe55ecbd5b632c12ed9/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java#L276
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)

Findings Overview

Severity Vulnerability Type CWE Language Count
High Code Injection CWE-94 JavaScript / Node.js 1
High Cross-Site Scripting CWE-79 Java* 11
High SQL Injection CWE-89 Java* 8
High Command Injection CWE-78 Java* 1
High DOM Based Cross-Site Scripting CWE-79 JavaScript / Node.js 3
Medium Error Messages Information Exposure CWE-209 Java* 10
Medium Hardcoded Password/Credentials CWE-798 JavaScript / Node.js 1
Medium Trust Boundary Violation CWE-501 Java* 2
Low Unvalidated/Open Redirect CWE-601 JavaScript / Node.js 4