Update README.md - Githubissues

github-actions[bot] commented 5 months ago

> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@

import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*;

public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute();

        sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";

Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next();
```
    /* START BAD CODE ------*/
    String event = "Removed account for blabber " + result.getString(1);
```
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery);
sqlStatement.execute(sqlQuery);
Set whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!result.getString(1).matches("\w+(\s\.\s\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
throw new IllegalArgumentException();
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
sqlStatement.setString(2, event);

sqlStatement.execute();

    sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
    logger.info(sqlQuery);

```

github-actions[bot] commented 5 months ago

> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff
--- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE -----*/
```
```

github-actions[bot] commented 5 months ago

> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff
--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE */
```
```

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: b64ca4c0-974a-44a4-b328-4a73dd0afd4c
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*;

/**

@author johnadmin @@ -313,11 +314,18 @@ Class.forName("com.mysql.jdbc.Driver"); Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

String sql = "SELECT username FROM users WHERE username = '" + username + "'";
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
String sql = "SELECT username FROM users WHERE username = ?";
Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!username.matches("\w+(\s\.\s\w+)*") && !whitelistUsername.contains(username))
throw new IllegalArgumentException();
PreparedStatement statement = connect.prepareStatement(sql);
statement.setString(1, username);
ResultSet result = statement.executeQuery(); if (result.first()) { model.addAttribute("error", "Username '" + username + "' already exists!"); return "register"; } else {

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -490,11 +490,12 @@ ArrayList events = new ArrayList();

        /* START BAD CODE */

String sqlMyEvents = "select event from users_history where blabber=\"" + username
- "\" ORDER BY eventid DESC; ";
String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; "; logger.info(sqlMyEvents);
Statement sqlStatement = connect.createStatement();
ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
sqlStatement.setString(1, username);
ResultSet userHistoryResult = sqlStatement.executeQuery(); / END BAD CODE /
```
    while (userHistoryResult.next()) {
```

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/controller/BlabController.java +++ src/main/java/com/veracode/verademo/controller/BlabController.java @@ -27,6 +27,7 @@ import com.veracode.verademo.model.Blabber; import com.veracode.verademo.model.Comment; import com.veracode.verademo.utils.Constants; +import java.util.*;

@Controller @Scope("request") @@ -484,10 +485,13 @@

        // Find the Blabbers
        logger.info(blabbersSql);

Set whitelistSort = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!sort.matches("\w+(\s\.\s\w+)*") && !whitelistSort.contains(sort))
throw new IllegalArgumentException(); blabberQuery = connect.prepareStatement(blabbersSql); blabberQuery.setString(1, username); blabberQuery.setString(2, username); ResultSet blabbersResults = blabberQuery.executeQuery(); / END BAD CODE /
```
    List<Blabber> blabbers = new ArrayList<Blabber>();
```

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@

import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*;

public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute();

        sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";

Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next();
```
    /* START BAD CODE ------*/
    String event = "Removed account for blabber " + result.getString(1);
```
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery);
sqlStatement.execute(sqlQuery);
Set whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!result.getString(1).matches("\w+(\s\.\s\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
throw new IllegalArgumentException();
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
sqlStatement.setString(2, event);

sqlStatement.execute();

    sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
    logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE -----*/
```

github-actions[bot] commented 5 months ago

>[!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/f79912c0bcddea1accdff5d857338945a6d09ed7/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52

>[!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE */
```

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 3bafcb1e-e591-4715-b598-b31577112818
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L248-L258

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*;

/**

@author johnadmin @@ -247,10 +248,19 @@

    Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
String sql = "SELECT password_hint FROM users WHERE username = ?"; logger.info(sql);
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
Set whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!(password.length() - 2).matches("\w+(\s\.\s\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
throw new IllegalArgumentException();
Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!username.matches("\w+(\s\.\s\w+)*") && !whitelistUsername.contains(username))
throw new IllegalArgumentException();
PreparedStatement statement = connect.prepareStatement(sql);
statement.setString(1, username);
ResultSet result = statement.executeQuery(); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s"; @@ -263,6 +273,6 @@ } else { return "No password found for " + username; } } catch (ClassNotFoundException e) { e.printStackTrace();

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L381-L391

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*;

/**

@author johnadmin @@ -382,6 +383,21 @@ query.append("'" + blabName + "'"); query.append(");");

Set whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!realName.matches("\w+(\s\.\s\w+)*") && !whitelistRealname.contains(realName))
throw new IllegalArgumentException();
Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!username.matches("\w+(\s\.\s\w+)*") && !whitelistUsername.contains(username))
throw new IllegalArgumentException();
Set whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!mysqlCurrentDateTime.matches("\w+(\s\.\s\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
throw new IllegalArgumentException();
Set whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!password.matches("\w+(\s\.\s\w+)*") && !whitelistPassword.contains(password))
throw new IllegalArgumentException();
Set whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!blabName.matches("\w+(\s\.\s\w+)*") && !whitelistBlabname.contains(blabName))
throw new IllegalArgumentException(); sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); @@ -411,6 +427,6 @@ } } return "redirect:login?username=" + username; }

private void emailUser(String username)

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L503-L513

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -490,11 +490,12 @@ ArrayList events = new ArrayList();

        /* START BAD CODE */

String sqlMyEvents = "select event from users_history where blabber=\"" + username
- "\" ORDER BY eventid DESC; ";
String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; "; logger.info(sqlMyEvents);
Statement sqlStatement = connect.createStatement();
ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
sqlStatement.setString(1, username);
ResultSet userHistoryResult = sqlStatement.executeQuery(); / END BAD CODE /
```
    while (userHistoryResult.next()) {
```

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L35-L45

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -34,10 +34,12 @@ action.setString(2, blabberUsername); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE ------*/
```

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L46-L56

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@

import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*;

public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute();

        sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";

Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next();
```
    /* START BAD CODE ------*/
    String event = "Removed account for blabber " + result.getString(1);
```
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery);
sqlStatement.execute(sqlQuery);
Set whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
if (!result.getString(1).matches("\w+(\s\.\s\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
throw new IllegalArgumentException();
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
sqlStatement.setString(2, event);

sqlStatement.execute();

    sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
    logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE -----*/
```

github-actions[bot] commented 5 months ago

> [!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/5e2278d8909d31f53da29994dd44b7f5b5b0a4ab/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

> [!CAUTION]
CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

```diff --- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute();

sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
sqlStatement.setString(1, blabberUsername);
ResultSet result = sqlStatement.executeQuery(); result.next();
```
    /* START BAD CODE */
```

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: ba41dc8c-ea05-4be6-bbba-d1e6a74ccb46
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L492-L502

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L485-L495

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
 import com.veracode.verademo.model.Blabber;
 import com.veracode.verademo.model.Comment;
 import com.veracode.verademo.utils.Constants;
+import java.util.*;

 @Controller
 @Scope("request")
@@ -484,10 +485,13 @@

            // Find the Blabbers
            logger.info(blabbersSql);
+       Set<String> whitelistSort = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!sort.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistSort.contains(sort))
+           throw new IllegalArgumentException();
            blabberQuery = connect.prepareStatement(blabbersSql);
            blabberQuery.setString(1, username);
            blabberQuery.setString(2, username);
            ResultSet blabbersResults = blabberQuery.executeQuery();
            /* END BAD CODE */

            List<Blabber> blabbers = new ArrayList<Blabber>();

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/9915dbf5d55d9429c7469e19ae2af51bccdf5b5a/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 601b68ee-8139-4b77-95cf-971a46e41e6e
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code! https://github.com/julz0815/test-action/blob/31cd0829e2efd12a7bba05797e71ba3f02669522/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code! https://github.com/julz0815/test-action/blob/31cd0829e2efd12a7bba05797e71ba3f02669522/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L492-L502

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code! https://github.com/julz0815/test-action/blob/31cd0829e2efd12a7bba05797e71ba3f02669522/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L485-L495

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
 import com.veracode.verademo.model.Blabber;
 import com.veracode.verademo.model.Comment;
 import com.veracode.verademo.utils.Constants;
+import java.util.*;

 @Controller
 @Scope("request")
@@ -484,10 +485,13 @@

            // Find the Blabbers
            logger.info(blabbersSql);
+       Set<String> whitelistSort = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!sort.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistSort.contains(sort))
+           throw new IllegalArgumentException();
            blabberQuery = connect.prepareStatement(blabbersSql);
            blabberQuery.setString(1, username);
            blabberQuery.setString(2, username);
            ResultSet blabbersResults = blabberQuery.executeQuery();
            /* END BAD CODE */

            List<Blabber> blabbers = new ArrayList<Blabber>();

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code! https://github.com/julz0815/test-action/blob/31cd0829e2efd12a7bba05797e71ba3f02669522/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 60f05115-96c3-44db-9908-fecc2eaa4529
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L492-L502

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L485-L495

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
 import com.veracode.verademo.model.Blabber;
 import com.veracode.verademo.model.Comment;
 import com.veracode.verademo.utils.Constants;
+import java.util.*;

 @Controller
 @Scope("request")
@@ -484,10 +485,13 @@

            // Find the Blabbers
            logger.info(blabbersSql);
+       Set<String> whitelistSort = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!sort.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistSort.contains(sort))
+           throw new IllegalArgumentException();
            blabberQuery = connect.prepareStatement(blabbersSql);
            blabberQuery.setString(1, username);
            blabberQuery.setString(2, username);
            ResultSet blabbersResults = blabberQuery.executeQuery();
            /* END BAD CODE */

            List<Blabber> blabbers = new ArrayList<Blabber>();

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f7c90118d0698ecf914d11d7507db9d201fce38e/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 387752d0-694f-4a9d-a961-69845aa4b82b
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/dfafeb27c8778d2414717929ff34eb3764b8072ccom/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

github-actions[bot] commented 5 months ago

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: c85e6c39-f598-49e5-82e1-53b7131a23aa
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/455c5d7bcb3cd73095f75072c9846b48036c3bd1/undefined#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/455c5d7bcb3cd73095f75072c9846b48036c3bd1/undefined#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/455c5d7bcb3cd73095f75072c9846b48036c3bd1/undefined#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

github-actions[bot] commented 5 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/455c5d7bcb3cd73095f75072c9846b48036c3bd1/undefined#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

julz0815 / test-action

Update README.md #832