Fixtest

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 7b663200-a9f1-4a12-9e2d-7a89d2579968
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 88fc0052-59d3-49a0-9c4e-b13713d2224d
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 8d1f4da1-2565-4aff-8a9f-d14711b2a5b8
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: be89a33b-e311-4b32-ba5f-94ee0804b654
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -361,7 +362,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,8 +383,13 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
            logger.info(query.toString());
            /* END BAD CODE */

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -502,10 +502,11 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
            ResultSet myInfoResults = myInfo.executeQuery();
            myInfoResults.next();

            // Send these values to our View

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

undefined

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

undefined

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class ListenCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -41,10 +42,16 @@
            result.next();

            /* START BAD CODE -----*/
+           Set<String> whitelistBlabberusername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!blabberUsername.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabberusername.contains(blabberUsername))
+               throw new IllegalArgumentException();
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
            String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);
            /* END BAD CODE */
        } catch (SQLException e) {
            // TODO Auto-generated catch block

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class IgnoreCommand implements BlabberCommand { 
    private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -41,10 +42,16 @@
            result.next();

            /* START BAD CODE */
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
+           Set<String> whitelistBlabberusername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!blabberUsername.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabberusername.contains(blabberUsername))
+               throw new IllegalArgumentException();
            String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);
            /* END BAD CODE */
        } catch (SQLException e) {
            // TODO Auto-generated catch block

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L246-L256

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -236,7 +237,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L382-L392

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -384,7 +385,7 @@

            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L490-L500

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -453,7 +454,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/UserController.java#L800-L810

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -802,7 +803,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/ResetController.java#L104-L114

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import org.apache.commons.lang3.StringUtils;

 @Controller
 @Scope("request")
@@ -106,7 +107,7 @@
            usersStatement = connect.prepareStatement(
                    "INSERT INTO users (username, password, password_hint, created_at, last_login, real_name, blab_name) values (?, ?, ?, ?, ?, ?, ?);");
            for (int i = 0; i < users.length; i++) {
-               logger.info("Adding user " + users[i].getUserName());
+               logger.info("Adding user " + StringUtils.normalizeSpace(users[i].getUserName()));
                usersStatement.setString(1, users[i].getUserName());
                usersStatement.setString(2, users[i].getPassword());
                usersStatement.setString(3, users[i].getPasswordHint());

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/ResetController.java#L127-L137

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import org.apache.commons.text.StringEscapeUtils;

 @Controller
 @Scope("request")
@@ -129,7 +130,7 @@
                        String blabber = users[i].getUserName();
                        String listener = users[j].getUserName();

-                       logger.info("Adding " + listener + " as a listener of " + blabber);
+                       logger.info("Adding " + StringEscapeUtils.escapeJava(listener) + " as a listener of " + blabber);

                        listenersStatement.setString(1, blabber);
                        listenersStatement.setString(2, listener);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/ResetController.java#L188-L198

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.net.URLEncoder;

 @Controller
 @Scope("request")
@@ -190,7 +191,7 @@
                    // get the number or seconds until some time in the last 30 days.
                    long vary = rand.nextInt(30 * 24 * 3600);

-                   logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(i));
+                   logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(URLEncoder.encode(i.toString())));
                    logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(i));
                    commentsStatement.setInt(1, i);
                    commentsStatement.setString(2, username);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/controller/BlabController.java#L553-L563

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
 import com.veracode.verademo.model.Blabber;
 import com.veracode.verademo.model.Comment;
 import com.veracode.verademo.utils.Constants;
+import org.apache.commons.lang3.StringUtils;

 @Controller
 @Scope("request")
@@ -555,7 +556,7 @@
            return nextView = "redirect:login?target=blabbers";
        }

-       logger.info("blabberUsername = " + blabberUsername);
+       logger.info("blabberUsername = " + StringUtils.normalizeSpace(blabberUsername));
        logger.info("command = " + command);

        Connection connect = null;

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L41-L51

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.net.URLEncoder;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -41,7 +42,7 @@
            result.next();

            /* START BAD CODE ------*/
-           String event = "Removed account for blabber " + result.getString(1);
+           String event = "Removed account for blabber " + URLEncoder.encode(result.getString(1));
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L34-L44

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;

 public class ListenCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -24,7 +25,7 @@

    @Override
    public void execute(String blabberUsername) {
-       String sqlQuery = "INSERT INTO listeners (blabber, listener, status) values (?, ?, 'Active');";
+       String sqlQuery = StringUtils.normalizeSpace("INSERT INTO listeners (blabber, listener, status) values (?, ?, 'Active');");
        logger.info(sqlQuery);
        PreparedStatement action;
        try {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/790e36896ee6f2e1546911c5b95c360ec9dc6384/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L34-L44

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;

 public class IgnoreCommand implements BlabberCommand { 
    private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -24,7 +25,7 @@

    @Override
    public void execute(String blabberUsername) {
-       String sqlQuery = "DELETE FROM listeners WHERE blabber=? AND listener=?;";
+       String sqlQuery = StringUtils.normalizeSpace("DELETE FROM listeners WHERE blabber=? AND listener=?;");
        logger.info(sqlQuery);
        PreparedStatement action;
        try {

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: c5c9fb12-b9bc-4660-82ac-6a8e78989d99
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -361,7 +362,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,8 +383,13 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
            logger.info(query.toString());
            /* END BAD CODE */

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -502,10 +502,11 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
            ResultSet myInfoResults = myInfo.executeQuery();
            myInfoResults.next();

            // Send these values to our View

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L35-L45

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

undefined

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L46-L56

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

undefined

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class ListenCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -41,10 +42,16 @@
            result.next();

            /* START BAD CODE -----*/
+           Set<String> whitelistBlabberusername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!blabberUsername.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabberusername.contains(blabberUsername))
+               throw new IllegalArgumentException();
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
            String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);
            /* END BAD CODE */
        } catch (SQLException e) {
            // TODO Auto-generated catch block

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L42-L52

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.util.*;

 public class IgnoreCommand implements BlabberCommand { 
    private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -41,10 +42,16 @@
            result.next();

            /* START BAD CODE */
+           Set<String> whitelistBlabberusername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!blabberUsername.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabberusername.contains(blabberUsername))
+               throw new IllegalArgumentException();
+           Set<String> whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1)))
+               throw new IllegalArgumentException();
            String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);
            /* END BAD CODE */
        } catch (SQLException e) {
            // TODO Auto-generated catch block

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L246-L256

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -236,7 +237,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L382-L392

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.net.URLEncoder;

 /**
  * @author johnadmin
@@ -384,7 +385,7 @@

            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+           logger.info(URLEncoder.encode(query.toString()));
            /* END BAD CODE */

            emailUser(username);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L490-L500

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -453,7 +454,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/UserController.java#L800-L810

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -802,7 +803,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/ResetController.java#L104-L114

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.net.URLEncoder;

 @Controller
 @Scope("request")
@@ -106,7 +107,7 @@
            usersStatement = connect.prepareStatement(
                    "INSERT INTO users (username, password, password_hint, created_at, last_login, real_name, blab_name) values (?, ?, ?, ?, ?, ?, ?);");
            for (int i = 0; i < users.length; i++) {
-               logger.info("Adding user " + users[i].getUserName());
+               logger.info("Adding user " + URLEncoder.encode(users[i].getUserName()));
                usersStatement.setString(1, users[i].getUserName());
                usersStatement.setString(2, users[i].getPassword());
                usersStatement.setString(3, users[i].getPasswordHint());

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/ResetController.java#L127-L137

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import org.apache.commons.text.StringEscapeUtils;

 @Controller
 @Scope("request")
@@ -129,7 +130,7 @@
                        String blabber = users[i].getUserName();
                        String listener = users[j].getUserName();

-                       logger.info("Adding " + listener + " as a listener of " + blabber);
+                       logger.info("Adding " + StringEscapeUtils.escapeJava(listener) + " as a listener of " + blabber);

                        listenersStatement.setString(1, blabber);
                        listenersStatement.setString(2, listener);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/ResetController.java#L188-L198

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from earlier calls to java.sql.PreparedStatement.executeQuery, and AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.net.URLEncoder;

 @Controller
 @Scope("request")
@@ -190,7 +191,7 @@
                    // get the number or seconds until some time in the last 30 days.
                    long vary = rand.nextInt(30 * 24 * 3600);

-                   logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(i));
+                   logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(URLEncoder.encode(i.toString())));
                    logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(i));
                    commentsStatement.setInt(1, i);
                    commentsStatement.setString(2, username);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/controller/BlabController.java#L553-L563

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
 import com.veracode.verademo.model.Blabber;
 import com.veracode.verademo.model.Comment;
 import com.veracode.verademo.utils.Constants;
+import org.apache.commons.lang3.StringUtils;

 @Controller
 @Scope("request")
@@ -555,7 +556,7 @@
            return nextView = "redirect:login?target=blabbers";
        }

-       logger.info("blabberUsername = " + blabberUsername);
+       logger.info("blabberUsername = " + StringUtils.normalizeSpace(blabberUsername));
        logger.info("command = " + command);

        Connection connect = null;

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java#L41-L51

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import java.net.URLEncoder;

 public class RemoveAccountCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -41,7 +42,7 @@
            result.next();

            /* START BAD CODE ------*/
-           String event = "Removed account for blabber " + result.getString(1);
+           String event = "Removed account for blabber " + URLEncoder.encode(result.getString(1));
            sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
            logger.info(sqlQuery);
            sqlStatement.execute(sqlQuery);

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/ListenCommand.java#L34-L44

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;

 public class ListenCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -24,7 +25,7 @@

    @Override
    public void execute(String blabberUsername) {
-       String sqlQuery = "INSERT INTO listeners (blabber, listener, status) values (?, ?, 'Active');";
+       String sqlQuery = StringUtils.normalizeSpace("INSERT INTO listeners (blabber, listener, status) values (?, ?, 'Active');");
        logger.info(sqlQuery);
        PreparedStatement action;
        try {

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/38be575fcf18c7e6a02e7a0600204afb2b3231a0/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L34-L44

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@

 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;

 public class IgnoreCommand implements BlabberCommand { 
    private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -24,7 +25,7 @@

    @Override
    public void execute(String blabberUsername) {
-       String sqlQuery = "DELETE FROM listeners WHERE blabber=? AND listener=?;";
+       String sqlQuery = StringUtils.normalizeSpace("DELETE FROM listeners WHERE blabber=? AND listener=?;");
        logger.info(sqlQuery);
        PreparedStatement action;
        try {

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: f99fe5ae-d8e0-49a6-8047-bac98ca85857
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/2d3e1232dc8c46a4155ae16e660323651b201f95/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: af4cfc19-8156-4152-a29b-32c0a0f9505a
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/f2f3973e6632bacda79fcb16e0e2dbee5c26d51a/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 21af968a-f95e-4734-8fda-8a6a003cc436
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/3e9464f80c7f05763d4c80b6e7c1f368971850c7/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: f451c388-673d-414b-b47c-793bfb724527
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 18 issues!
=========================

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/4631f594ef0424e98f142e2738f9eecb3a6c8562/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";

[github-actions[bot]]

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/4631f594ef0424e98f142e2738f9eecb3a6c8562/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -361,7 +362,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,8 +383,13 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
            logger.info(query.toString());
            /* END BAD CODE */