Code Security Report

Scan Metadata

Latest Scan: 2024-08-05 11:35am Total Findings: 228 | New Findings: 0 | Resolved Findings: 1 Tested Project Files: 3970 Detected Programming Languages: 6 (PHP, Python, C/C++ (Beta), JavaScript / TypeScript, Java, Ruby)

[ ] Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Automatic Remediation Available (1)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	SQL Injection	[CWE-89](https://cwe.mitre.org/data/definitions/89.html)	[SqliLikeModel.java:17](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeModel.java#L17)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeModel.java#L12-L17 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeController.java#L17 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeController.java#L18 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeModel.java#L15 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeModel.java#L16 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/java/sqli-like/src/main/java/com/skf/labs/sqlilike/SqliLikeModel.java#L17 :rescue_worker_helmet: Remediation Suggestion https://github.com/SharonKoch/skf-labs/blob/5c3b6df012b28a74ad2c7a1e71165442f4a0e3a6/diffs/fa7a6a64-be40-4456-af6b-0f2ee691559b/SqliLikeModel.java.diff#L1-L30 - [ ] Create Pull Request Remediation feedback: - [ ] :thumbsup: Like - [ ] :thumbsdown: Dislike Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)

No Automatic Remediation (9)

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[app.js:16](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L16)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L11-L16 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L13 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L15 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L17 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD2/app.js#L16 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/nodejs/express) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[app.js:14](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD/app.js#L14)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD/app.js#L9-L14 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD/app.js#L12 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD/app.js#L13 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD/app.js#L14 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/nodejs/express) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[app.js:14](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD-Blind/app.js#L14)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD-Blind/app.js#L9-L14 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD-Blind/app.js#L12 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD-Blind/app.js#L13 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/CMD-Blind/app.js#L14 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/nodejs/express) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[File-upload-cmd.py:11](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD3/File-upload-cmd.py#L11)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD3/File-upload-cmd.py#L6-L11 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD3/File-upload-cmd.py#L11 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[CMD.py:17](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD/CMD.py#L17)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD/CMD.py#L12-L17 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD/CMD.py#L16 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[CMD4.py:24](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L24)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L19-L24 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L16 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L17 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L18 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L19 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD4/CMD4.py#L24 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[CMD-Blind.py:17](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD-Blind/CMD-Blind.py#L17)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD-Blind/CMD-Blind.py#L12-L17 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD-Blind/CMD-Blind.py#L16 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Command Injection	[CWE-78](https://cwe.mitre.org/data/definitions/78.html)	[CMD2.py:16](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD2/CMD2.py#L16)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD2/CMD2.py#L11-L16 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/python/CMD2/CMD2.py#L15 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Command Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/oscmd/python/vanilla) ● Videos ▪ [Secure Code Warrior Command Injection Video](https://media.securecodewarrior.com/OS+Command+Injections_v2.mp4) ● Further Reading ▪ [OWASP testing for Command Injection](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)) ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

High	Code Injection	[CWE-94](https://cwe.mitre.org/data/definitions/94.html)	[app.js:34](https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/RaceCondition/app.js#L34)	1	2024-05-16 06:54am
Vulnerable Code https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/RaceCondition/app.js#L29-L34 1 Data Flow/s detected https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/RaceCondition/app.js#L10 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/RaceCondition/app.js#L12 https://github.com/SharonKoch/skf-labs/blob/0eff78b6bc26b88dcc0ae78ecf37c233bdf9ba30/nodeJs/RaceCondition/app.js#L34 Secure Code Warrior Training Material ● Training ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Path/Directory Traversal	CWE-22	JavaScript / TypeScript*	4
High	Code Injection	CWE-94	Python	3
High	Cross-Site Scripting	CWE-79	Python	5
High	Path/Directory Traversal	CWE-22	Java*	6
High	Code Injection	CWE-94	JavaScript / TypeScript*	18
High	Server Side Request Forgery	CWE-918	JavaScript / TypeScript*	2
High	SQL Injection	CWE-89	Java*	1
High	Deserialization of Untrusted Data	CWE-502	Java*	2
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / TypeScript*	7
High	Command Injection	CWE-78	Python	5
High	Path/Directory Traversal	CWE-22	Python	4
High	Command Injection	CWE-78	JavaScript / TypeScript*	3
High	Cross-Site Scripting	CWE-79	PHP	7
High	Origin Validation Error	CWE-346	JavaScript / TypeScript*	1
High	Server Side Request Forgery	CWE-918	Java*	2
Medium	XML External Entity (XXE) Injection	CWE-611	Java*	1
Medium	LDAP Injection	CWE-90	Python	2
Medium	SQL Injection	CWE-89	JavaScript / TypeScript*	3
Medium	Hidden HTML Input	CWE-472	PHP	14
Medium	LDAP Injection	CWE-90	JavaScript / TypeScript*	2
Medium	Error Messages Information Exposure	CWE-209	Java*	20
Medium	XML External Entity (XXE) Injection	CWE-611	JavaScript / TypeScript*	1
Medium	Insufficient Transport Layer Protection	CWE-319	Java*	2
Medium	SQL Injection	CWE-89	PHP	3
Medium	SQL Injection	CWE-89	Python	5
Medium	Improper Verification of JWT Signature	CWE-347	Java*	1
Medium	Regex Denial of Service (ReDoS)	CWE-1333	JavaScript / TypeScript*	6
Medium	Trust Boundary Violation	CWE-501	Java*	17
Medium	Improper Verification of JWT Signature	CWE-347	JavaScript / TypeScript*	1
Medium	Miscellaneous Dangerous Functions	CWE-676	Python	8
Medium	Readline Denial of Service	CWE-400	Java*	7
Medium	Hardcoded Password/Credentials	CWE-798	Python	55
Medium	Hardcoded Password/Credentials	CWE-798	JavaScript / TypeScript*	4
Medium	LDAP Injection	CWE-90	Java*	2
Low	Weak Hash Strength	CWE-328	JavaScript / TypeScript*	4

SharonKoch / skf-labs

Code Security Report: 70 high severity findings, 228 total findings #61