test branch #983

Korjen97 · 2024-12-24T10:47:23Z

By submitting a PR to this repository, you agree to the terms within the Checkmarx Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Describe the purpose of this PR along with any background information and the impacts of the proposed change.

References

Include supporting link to GitHub Issue/PR number

Testing

Describe how this change was tested. Be specific about anything not tested and reasons why. If this solution has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Checklist

I have added documentation for new/changed functionality in this PR (if applicable).
I have updated the CLI help for new/changed functionality in this PR (if applicable).
All active GitHub checks for tests, formatting, and security are passing
The correct base branch is being used

github-actions · 2024-12-24T10:53:00Z

Checkmarx One – Scan Summary & Details – 6675884e-4ca2-4be4-a006-4a40cc9476da

New Issues (54)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2019-10744	Npm-lodash-4.17.11	Vulnerable Package
Code_Injection	/small-project-main/dsvw.py: 25	details The application's do_GET method receives and dynamically executes user-controlled code using exec, at line 57 of /small-project-main/dsvw.py. This ... Attack Vector
Code_Injection	/small-project-main/dsvw.py: 25	details The application's do_GET method receives and dynamically executes user-controlled code using exec, at line 57 of /small-project-main/dsvw.py. This ... Attack Vector
Code_Injection	/small-project-main/dsvw.py: 56	details The application's do_GET method receives and dynamically executes user-controlled code using exec, at line 57 of /small-project-main/dsvw.py. This ... Attack Vector
Command_Injection	/small-project-main/dsvw.py: 25	details The application's do_GET method calls an OS (shell) command with envs, at line 57 of /small-project-main/dsvw.py, using an untrusted string with th... Attack Vector
Command_Injection	/small-project-main/dsvw.py: 25	details The application's do_GET method calls an OS (shell) command with envs, at line 57 of /small-project-main/dsvw.py, using an untrusted string with th... Attack Vector
Command_Injection	/small-project-main/dsvw.py: 56	details The application's do_GET method calls an OS (shell) command with envs, at line 57 of /small-project-main/dsvw.py, using an untrusted string with th... Attack Vector
Cx042e432f-e0c4	Npm-node-ipc-9.2.2	Vulnerable Package
Cx07931ce7-8224	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cx28bd7545-eb30	Npm-node-ipc-9.2.2	Vulnerable Package
Cx299e146f-5a39	Npm-scs-0.0.1	Vulnerable Package
Cx43050644-3add	Npm-momnet-2.29.1	Vulnerable Package
Cx4737011d-347c	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cx4a52ebed-4106	Npm-momnet-2.29.1	Vulnerable Package
Cx4ba6c921-c998	Npm-scs-0.0.1	Vulnerable Package
Cx4eb613b4-04e7	Npm-scs-0.0.1	Vulnerable Package
Cx558b006b-f4df	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cx6b9a86a5-690c	Npm-flow-dev-tools-99.10.9	Vulnerable Package
Cx8ef77360-5422	Npm-node-ipc-9.2.2	Vulnerable Package
Cx8f9b1745-1402	Npm-scs-0.0.1	Vulnerable Package
Cx9c42b5fe-7ada	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cx9c42f2c3-f75f	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cxa2b7a014-3ccf	Npm-flow-dev-tools-99.10.9	Vulnerable Package
Cxadcc9e15-660b	Npm-flow-dev-tools-99.10.9	Vulnerable Package
Cxae294227-318d	Npm-scs-0.0.1	Vulnerable Package
Cxb548375c-73ad	Npm-momnet-2.29.1	Vulnerable Package
Cxbe748a42-4843	Npm-scs-0.0.1	Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.6.1	Vulnerable Package
Cxd59efdf2-2f00	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cxe3a87c30-9600	Npm-scs-0.0.1	Vulnerable Package
Cxec41bee3-fc56	Npm-ua-parser-js-0.7.29	Vulnerable Package
Cxed2acd22-9b01	Npm-node-ipc-9.2.2	Vulnerable Package
SQL_Injection	/small-project-main/SqlInjectionLesson5a.java: 55	details The application's injectableQuery method executes an SQL query with executeQuery, at line 67 of /small-project-main/SqlInjectionLesson5a.java. The ... Attack Vector
SQL_Injection	/small-project-main/SqlInjectionLesson5a.java: 55	details The application's injectableQuery method executes an SQL query with executeQuery, at line 67 of /small-project-main/SqlInjectionLesson5a.java. The ... Attack Vector
SQL_Injection	/small-project-main/SqlInjectionLesson5a.java: 55	details The application's injectableQuery method executes an SQL query with executeQuery, at line 67 of /small-project-main/SqlInjectionLesson5a.java. The ... Attack Vector
Stored_XSS	/small-project-main/dsvw.py: 26	details The method do_GET embeds untrusted data in generated output with write, at line 80 of /small-project-main/dsvw.py. This untrusted data is embedded ... Attack Vector
Stored_XSS	/small-project-main/dsvw.py: 37	details The method do_GET embeds untrusted data in generated output with write, at line 80 of /small-project-main/dsvw.py. This untrusted data is embedded ... Attack Vector
Stored_XSS	/small-project-main/dsvw.py: 35	details The method do_GET embeds untrusted data in generated output with write, at line 80 of /small-project-main/dsvw.py. This untrusted data is embedded ... Attack Vector
CVE-2017-1000048	Npm-qs-6.0.0	Vulnerable Package
CVE-2020-8203	Npm-lodash-4.17.11	Vulnerable Package
CVE-2021-23337	Npm-lodash-4.17.11	Vulnerable Package
CVE-2021-4229	Npm-ua-parser-js-0.7.29	Vulnerable Package
CVE-2022-24999	Npm-qs-6.0.0	Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-4.17.11	Vulnerable Package
Cxdca8e59f-8bfe	Npm-inflight-1.0.6	Vulnerable Package
Cxec49316b-56df	Npm-js-yaml-3.6.1	Vulnerable Package
CVE-2020-28500	Npm-lodash-4.17.11	Vulnerable Package
Cx877cf216-175c	Npm-event-pubsub-5.0.3	Vulnerable Package
Cx90bff1cb-7264	Npm-strong-type-0.1.6	Vulnerable Package
Missing_HSTS_Header	/small-project-main/dsvw.py: 76	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
Stored_Command_Injection	/small-project-main/dsvw.py: 56	details The application's do_GET method calls an OS (shell) command with program, at line 57 of /small-project-main/dsvw.py, using an untrusted string with... Attack Vector
Unpinned Package Version in Apk Add	/Dockerfile: 6	details Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Healthcheck Instruction Missing	/Dockerfile: 3	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Unpinned Actions Full Length Commit SHA	/main.yml: 11	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...