Code Security Report: 3 high severity findings, 5 total findings

[mend-for-github-com[bot]]

Code Security Report

Scan Metadata

Latest Scan: 2024-08-05 11:01am Total Findings: 5 | New Findings: 0 | Resolved Findings: 0 Tested Project Files: 259 Detected Programming Languages: 1 (JavaScript / TypeScript*)

• [ ] Check this box to manually trigger a scan

Finding Details

Automatic Remediation Available (1)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
Low	Unvalidated/Open Redirect	[CWE-601](https://cwe.mitre.org/data/definitions/601.html)	[banner.mjs:34](https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L34)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L29-L34 1 Data Flow/s detected https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L23 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L25 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L34 :rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/govuk-frontend_Demo/blob/1482d11250c33fae2032b8a07f4824fa5abf0d24/diffs/c31dc560-9763-422b-a0d7-436c61f4f33b/banner.mjs.diff#L1-L55 - [ ] Create Pull Request **Remediation feedback:** - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Unvalidated/Open Redirect Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/uraf/generic/nodejs/express) ● Videos    ▪ [Secure Code Warrior Unvalidated/Open Redirect Video](https://media.securecodewarrior.com/v2/Unvalidated_Redirects_and_Forwards_v2.mp4) ● Further Reading    ▪ [OWASP Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)

No Automatic Remediation (4)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[index.mjs:10](https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-server-side/index.mjs#L10)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-server-side/index.mjs#L5-L10 1 Data Flow/s detected https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-server-side/index.mjs#L5 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-server-side/index.mjs#L11 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-server-side/index.mjs#L10 Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[index.mjs:10](https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-essential-cookies/index.mjs#L10)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-essential-cookies/index.mjs#L5-L10 1 Data Flow/s detected https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-essential-cookies/index.mjs#L5 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-essential-cookies/index.mjs#L11 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/views/full-page-examples/cookie-banner-essential-cookies/index.mjs#L10 Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[examples.mjs:21](https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L21)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L16-L21 1 Data Flow/s detected https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L13 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L14 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L22 https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/routes/examples.mjs#L21 Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
Low	Sensitive Cookie Without Secure	[CWE-614](https://cwe.mitre.org/data/definitions/614.html)	[banner.mjs:27](https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L27)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L22-L27 1 Data Flow/s detected https://github.com/SharonKoch/govuk-frontend_Demo/blob/c2dc609c24ce46875d4c2a2516c47972c8e14bd6/packages/govuk-frontend-review/src/common/middleware/banner.mjs#L27 Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Sensitive Cookie Without Secure Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/misconfig/securityfeatures/nodejs/express) ● Videos    ▪ [Secure Code Warrior Sensitive Cookie Without Secure Video](https://media.securecodewarrior.com/v2/module_132_disabled_security_features.mp4)

[github-actions[bot]]

Uh oh! @mend-for-github-com[bot], the image you shared is missing helpful alt text. Check your issue body.

Alt text is an invisible description that helps screen readers describe images to blind or low-vision users. If you are using markdown to display images, add your alt text inside the brackets of the markdown image.

Learn more about alt text at Basic writing and formatting syntax: images on GitHub Docs.

🤖 Beep boop! This comment was added automatically by github/accessibility-alt-text-bot.

[github-actions[bot]]

Uh oh! @mend-for-github-com[bot], the image you shared is missing helpful alt text. Check your issue body.

Alt text is an invisible description that helps screen readers describe images to blind or low-vision users. If you are using markdown to display images, add your alt text inside the brackets of the markdown image.

Learn more about alt text at Basic writing and formatting syntax: images on GitHub Docs.

🤖 Beep boop! This comment was added automatically by github/accessibility-alt-text-bot.

[github-actions[bot]]

Uh oh! @mend-for-github-com[bot], the image you shared is missing helpful alt text. Check your issue body.

Alt text is an invisible description that helps screen readers describe images to blind or low-vision users. If you are using markdown to display images, add your alt text inside the brackets of the markdown image.

Learn more about alt text at Basic writing and formatting syntax: images on GitHub Docs.

🤖 Beep boop! This comment was added automatically by github/accessibility-alt-text-bot.