Code Security Report

Scan Metadata

Latest Scan: 2024-06-02 04:47am Total Findings: 81 | New Findings: 76 | Resolved Findings: 0 Tested Project Files: 1807 Detected Programming Languages: 2 (Go, JavaScript / TypeScript*)

[ ] Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Automatic Remediation Available (1)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	DOM Based Cross-Site Scripting	[CWE-79](https://cwe.mitre.org/data/definitions/79.html)	[DiffFileTree.vue:107](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/web_src/js/components/DiffFileTree.vue#L107)	1	2024-05-19 05:08am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/web_src/js/components/DiffFileTree.vue#L102-L107 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/web_src/js/components/DiffFileTree.vue#L106 :rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/Gitea_Demo/blob/0200595b93927a307dc8b452368550ffcd0a990c/diffs/8b7f13a1-d322-42de-8be0-8e8de8da3252/DiffFileTree.vue.diff#L1-L150 - [ ] Create Pull Request Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior DOM Based Cross-Site Scripting Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/xss/dom/nodejs/express) ● Videos ▪ [Secure Code Warrior DOM Based Cross-Site Scripting Video](https://media.securecodewarrior.com/v2/module_123_dom_based_xss.mp4)

No Automatic Remediation (9)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	File Manipulation	[CWE-73](https://cwe.mitre.org/data/definitions/73.html)	[remove.go:77](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/remove.go#L77)	1	2024-06-02 04:48am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/remove.go#L72-L77 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L150 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/remove.go#L74 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/remove.go#L77 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior File Manipulation Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/go/vanilla) ● Videos ▪ [Secure Code Warrior File Manipulation Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[dumper.go:128](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L128)	1	2024-05-19 05:08am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L123-L128 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L139 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L123 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L124 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L128 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/go/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[dumper.go:84](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84)	4	2024-05-19 05:08am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L79-L84 4 Data Flow/s detected View Data Flow 1 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L139 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L83 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 View Data Flow 2 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L139 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L83 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 View Data Flow 3 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L139 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L123 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L124 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L139 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L83 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/dump/dumper.go#L84 [View more Data Flows](https://saas.whitesourcesoftware.com/app/orgs/Mend%20unified%20Demo%20w%2FGithub.com/scans/1d1df01f-0e42-47c7-819f-4eb93ac5d7bb/sast?project=7db603ab-225c-48fc-97a9-34dee688b6ed&findingSnapshotId=9f01a354-0e08-42b3-91d7-d632f152a5c9&filtered=yes) Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/go/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Path/Directory Traversal	[CWE-22](https://cwe.mitre.org/data/definitions/22.html)	[writer.go:101](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101)	2	2024-05-19 05:08am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L96-L101 2 Data Flow/s detected View Data Flow 1 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L100 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101 View Data Flow 2 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L150 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L100 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/util/rotatingfilewriter/writer.go#L101 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/go/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[serv.go:313](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L313)	1	2024-05-19 05:08am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L308-L313 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L155 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L175 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L191 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L301 https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/cmd/serv.go#L313 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/go/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

Medium	Insecure TLS Configuration	[CWE-295](https://cwe.mitre.org/data/definitions/295.html)	[internal.go:48](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L48)	1	2024-06-02 04:48am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L43-L48 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L48 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Insecure TLS Configuration Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/mobile/insufficient_transport_layer_protection/weak_certificate_validation/go/vanilla) ● Videos ▪ [Secure Code Warrior Insecure TLS Configuration Video](https://media.securecodewarrior.com/v2/Module_118_WEAK_CERTIFICATE_VALIDATION_v2.mp4)

Medium	Insecure TLS Configuration	[CWE-295](https://cwe.mitre.org/data/definitions/295.html)	[internal.go:44](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L44)	1	2024-06-02 04:48am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L39-L44 1 Data Flow/s detected https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/modules/private/internal.go#L44 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Insecure TLS Configuration Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/mobile/insufficient_transport_layer_protection/weak_certificate_validation/go/vanilla) ● Videos ▪ [Secure Code Warrior Insecure TLS Configuration Video](https://media.securecodewarrior.com/v2/Module_118_WEAK_CERTIFICATE_VALIDATION_v2.mp4)

Medium	Heap Inspection	[CWE-244](https://cwe.mitre.org/data/definitions/244.html)	[admin.go:22](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/services/forms/admin.go#L22)	1	2024-06-02 04:48am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/services/forms/admin.go#L22 Secure Code Warrior Training Material

Medium	Heap Inspection	[CWE-244](https://cwe.mitre.org/data/definitions/244.html)	[gogs.go:69](https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/services/migrations/gogs.go#L69)	1	2024-06-02 04:48am
Vulnerable Code https://github.com/SharonKoch/Gitea_Demo/blob/e10134dd0ff07aae5f414b8ef2d67d31b8bd81fc/services/migrations/gogs.go#L69 Secure Code Warrior Training Material

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Command Injection	CWE-78	Go	1
High	File Manipulation	CWE-73	Go	1
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / TypeScript*	1
High	Path/Directory Traversal	CWE-22	Go	3
Medium	Heap Inspection	CWE-244	Go	68
Medium	Insecure TLS Configuration	CWE-295	Go	2
Low	Log Forging	CWE-117	Go	2
Low	Unvalidated/Open Redirect	CWE-601	Go	3

SharonKoch / Gitea_Demo

Code Security Report: 6 high severity findings, 81 total findings #5