Update README.md

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/971b671a0e86e33bc7f132188a0257c371b0abd1/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: d94c7a6c-3568-4869-aef7-f072ebc349db
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3065a2fdcd6f35712567919b61d216f1d4880cb9/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: f12525df-eb4c-48ce-9873-d8b4db238238
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/192dd8dabb7dd1936044e747430f1593b5ed3f99/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 36e79291-dd99-4807-ac04-f8abd157b038
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3655fffa2aa2f318091ad595ff0feacbd01e7419/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE */

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 5a2c1fff-c96b-49db-949c-7a5b6b207992
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/94a3901572a1e8d76e477cde8b91ebdebaa49578/src/main/java/com/veracode/verademo/controller/UserController.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: ccc732b2-3a56-43e7-a74d-fbf23b9889dd
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/2f135b33efc6d59b5098398a3db6b29b7cdae39b/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 6a1268b9-1947-42f7-8784-5726082bb3eb
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/5b5b94feb9442279e5e72ec9df7fbfa0f840c463/src/main/java/com/veracode/verademo/controller/UserController.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 49a835b5-2966-4642-878e-400dee96076c
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/55b350b42d79e8e83db284fcf4d3eeeec3c22b08/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 6731d9c1-a356-42a4-afae-654f05d9521c
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/489785ebbcc41d35c047cb6021b261c19dc81e00/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 2c3038fc-f6cc-4bf3-a839-22a2b7d9fade
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 90c07f14-f99c-45e7-ad5f-5eef413ce81d
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/5e6b5cb632b38af59a263664ca3ecd37f5fd89a0/src/main/java/com/veracode/verademo/controller/UserController.java#L313-L323

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -313,11 +314,18 @@
            Class.forName("com.mysql.jdbc.Driver");
            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           String sql = "SELECT username FROM users WHERE username = ?";
+
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                model.addAttribute("error", "Username '" + username + "' already exists!");
                return "register";
            }
            else {

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: c7c680d9-80eb-459a-8090-582ca9d89719
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 7d002507-8d63-4d2d-9a90-b338136793a9
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/54575bedf7363a20fe873e62370c5ed63f4be33f/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: b09b1753-fc2e-4a7d-8cb6-f6e0d377a8d6
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/816d03dc32d3a75ccfc972a18d1230a28c63384b/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 32ce65db-3ec0-47a2-9e02-14666bdae939
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -247,10 +248,19 @@

            Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());

-           String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT password_hint FROM users WHERE username = ?";
            logger.info(sql);
-           Statement statement = connect.createStatement();
-           ResultSet result = statement.executeQuery(sql);
+           Set<String> whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
+           PreparedStatement statement = connect.prepareStatement(sql);
+           statement.setString(1, username);
+
+           ResultSet result = statement.executeQuery();
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -263,6 +273,6 @@
            }
            else {
                return "No password found for " + username;
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -382,6 +383,21 @@
            query.append("'" + blabName + "'");
            query.append(");");

+       Set<String> whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName))
+           throw new IllegalArgumentException();
+       Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+           throw new IllegalArgumentException();
+       Set<String> whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime))
+           throw new IllegalArgumentException();
+       Set<String> whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password))
+           throw new IllegalArgumentException();
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
            logger.info(query.toString());
@@ -411,6 +427,6 @@
            }
        }
        return "redirect:login?username=" + username;
    }

    private void emailUser(String username)

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
            ArrayList<String> events = new ArrayList<String>();

            /* START BAD CODE */
-           String sqlMyEvents = "select event from users_history where blabber=\"" + username
-                   + "\" ORDER BY eventid DESC; ";
+           String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; ";
            logger.info(sqlMyEvents);
-           Statement sqlStatement = connect.createStatement();
-           ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents);
+           sqlStatement.setString(1, username);
+
+           ResultSet userHistoryResult = sqlStatement.executeQuery();
            /* END BAD CODE */

            while (userHistoryResult.next()) {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, blabberUsername);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE ------*/

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -35,16 +36,23 @@
            action.execute();

            sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
-           Statement sqlStatement = connect.createStatement();
            logger.info(sqlQuery);
            ResultSet result = sqlStatement.executeQuery(sqlQuery);
            result.next();

            /* START BAD CODE ------*/
            String event = "Removed account for blabber " + result.getString(1);
-           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
+           sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)";
            logger.info(sqlQuery);
-           sqlStatement.execute(sqlQuery);
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+           sqlStatement.setString(2, event);
+
+           sqlStatement.execute();

            sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
            logger.info(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/32e466ebc5c5fd89cc855b1cd0ac473801e93910/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -34,10 +34,12 @@
            action.setString(2, username);
            action.execute();

-           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
-           Statement sqlStatement = connect.createStatement();
+           sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
            logger.info(sqlQuery);
-           ResultSet result = sqlStatement.executeQuery(sqlQuery);
+           PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+           sqlStatement.setString(1, blabberUsername);
+
+           ResultSet result = sqlStatement.executeQuery();
            result.next();

            /* START BAD CODE -----*/