Skip to content

Commit from Elan#1

Open
elangosenthilnathan wants to merge 1 commit intomasterfrom
aa1
Open

Commit from Elan#1
elangosenthilnathan wants to merge 1 commit intomasterfrom
aa1

Conversation

@elangosenthilnathan
Copy link
Copy Markdown
Owner

@elangosenthilnathan elangosenthilnathan commented May 30, 2024

No description provided.

@elangosenthilnathan
Copy link
Copy Markdown
Owner Author

elangosenthilnathan commented May 30, 2024 

 ██████╗ ██╗    ██╗██╗███████╗████████╗ █████╗ ██╗
██╔═══██╗██║    ██║██║██╔════╝╚══██╔══╝██╔══██╗██║
██║   ██║██║ █╗ ██║██║█████╗     ██║   ███████║██║
██║▄▄ ██║██║███╗██║██║██╔══╝     ██║   ██╔══██║██║
╚██████╔╝╚███╔███╔╝██║███████╗   ██║██╗██║  ██║██║
 ╚══▀▀═╝  ╚══╝╚══╝ ╚═╝╚══════╝   ╚═╝╚═╝╚═╝  ╚═╝╚═╝




                                                                                                                    Executive Summary                                                                                                                     

Bestfix from Qwiet.AI analyzed scan #5 for the java app shiftleft-java-demo on 2024-05-30. 21 files were analyzed during this scan resulting in 12 critical and high vulnerabilities. 65 open-source dependencies were also identified in which 43 
vulnerabilities were found. Use the information in this report to mitigate the open-source and custom code vulnerabilities and to improve the scan performance.



                      OWASP Summary                       
╔════════════════════════════════════════════════╤═══════╗
║ Category                                       │ Count ║
╟────────────────────────────────────────────────┼───────╢
║ a01-broken-access-control                      │     2 ║
╟────────────────────────────────────────────────┼───────╢
║ a02-cryptographic-failures                     │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a03-injection                                  │     9 ║
╟────────────────────────────────────────────────┼───────╢
║ a04-insecure-design                            │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a05-security-misconfiguration                  │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a06-vulnerable-and-outdated-components         │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a07-identification-and-authentication-failures │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a08-software-and-data-integrity-failures       │     1 ║
╟────────────────────────────────────────────────┼───────╢
║ a09-security-logging-and-monitoring-failures   │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a10-server-side-request-forgery-(ssrf)         │     - ║
╚════════════════════════════════════════════════╧═══════╝


CVSS Ratings Summary
╔══════════╤═══════╗
║ Rating   │ Count ║
╟──────────┼───────╢
║ critical │     3 ║
╟──────────┼───────╢
║ high     │     9 ║
╟──────────┼───────╢
║ medium   │     - ║
╟──────────┼───────╢
║ low      │     - ║
╚══════════╧═══════╝



                              Best OSS Fix Suggestions for shiftleft-java-demo                               
╔═══════════════════════════════════════════╤═══════════╤═══════════════╤══════════════════╤════════════════╗
║ Package                                   │ Reachable │       Version │ CVE              │ Fix Version(s) ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.springframework/spring-web            │ Reachable │ 4.3.6.RELEASE │ CVE-2024-22262   │          6.1.6 ║
║                                           │           │               │ CVE-2024-22259   │          6.1.5 ║
║                                           │           │               │ CVE-2024-22243   │          6.1.4 ║
║                                           │           │               │ CVE-2018-15756   │         6.0.19 ║
║                                           │           │               │ CVE-2016-1000027 │         6.0.18 ║
║                                           │           │               │                  │         5.3.34 ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.springframework/spring-expression     │ Reachable │ 4.3.6.RELEASE │ CVE-2023-20863   │          6.0.8 ║
║                                           │           │               │                  │         5.3.27 ║
║                                           │           │               │                  │ 5.2.24.release ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.apache.tomcat.embed/tomcat-embed-core │ Reachable │        8.5.11 │ CVE-2023-46589   │         9.0.83 ║
║                                           │           │               │ CVE-2022-42252   │         9.0.68 ║
║                                           │           │               │ CVE-2022-25762   │         9.0.45 ║
║                                           │           │               │ CVE-2021-41079   │         9.0.44 ║
║                                           │           │               │ CVE-2021-30639   │         9.0.43 ║
║                                           │           │               │ CVE-2021-25329   │         9.0.40 ║
║                                           │           │               │ CVE-2021-25122   │         9.0.37 ║
║                                           │           │               │ CVE-2020-9484    │         9.0.36 ║
║                                           │           │               │ CVE-2020-1938    │         9.0.35 ║
║                                           │           │               │ CVE-2020-17527   │         9.0.31 ║
║                                           │           │               │ CVE-2020-1745    │         9.0.30 ║
║                                           │           │               │ CVE-2020-13935   │         9.0.29 ║
║                                           │           │               │ CVE-2020-13934   │         9.0.21 ║
║                                           │           │               │ CVE-2020-11996   │         9.0.20 ║
║                                           │           │               │ CVE-2019-17563   │         9.0.17 ║
║                                           │           │               │ CVE-2019-12418   │         9.0.16 ║
║                                           │           │               │ CVE-2019-10072   │          9.0.1 ║
║                                           │           │               │ CVE-2019-0232    │      9.0.0.m21 ║
║                                           │           │               │ CVE-2019-0199    │      9.0.0.m18 ║
║                                           │           │               │ CVE-2018-8034    │         8.5.96 ║
║                                           │           │               │ CVE-2018-8014    │         8.5.76 ║
║                                           │           │               │ CVE-2018-1336    │         8.5.65 ║
║                                           │           │               │ CVE-2017-7675    │         8.5.64 ║
║                                           │           │               │ CVE-2017-5664    │         8.5.63 ║
║                                           │           │               │ CVE-2017-5651    │         8.5.60 ║
║                                           │           │               │ CVE-2017-5650    │         8.5.57 ║
║                                           │           │               │ CVE-2017-5648    │         8.5.56 ║
║                                           │           │               │ CVE-2017-12617   │                ║
╚═══════════════════════════════════════════╧═══════════╧═══════════════╧══════════════════╧════════════════╝



                                                                                                       Best Fix Suggestions for shiftleft-java-demo                                                                                                       
╔═════╤══════════╤═══════════════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════════════╗
║  ID │ Severity │ Category              │ Remediated Flow                                                                                       │ Comment                                                                                               ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 372 │ critical │ Remote Code Execution │                                                                                                       │ Taint: Parameter foo in the method doGetSearch                                                        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:21](file:///home/runner/work/shiftlef │                                                                                                       ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:21)    │ Use an allowlist for approved commands and compare the variables foo against this list in a new       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:27](file:///home/runner/work/shiftlef │ validation method. Then, specify this validation method name in the remediation config file.          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:27)    │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 365 │ high     │ Deserialization       │                                                                                                       │ Taint: Parameter objectInputStream in the method isAdmin                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:85](file:///home/runner/work/shiftleft │                                                                                                       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:85)      │ Follow security best practices to configure and use the deserialization library in a safe manner.     ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:91](file:///home/runner/work/shiftleft │ Depending on the version of the library used, this vulnerability could be difficult to exploit.       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:91)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:31](file:///home/runner/work/shiftleft │ Remediation suggestions:                                                                              ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:31)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:34](file:///home/runner/work/shiftleft │ Include these detected CHECK methods in your remediation config to suppress this finding.             ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:34)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:35](file:///home/runner/work/shiftleft │  • io.shiftleft.controller.AdminController.isAdmin                                                    ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:35)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:36](file:///home/runner/work/shiftleft │                                                                                                       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:36)      │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 101 │ critical │ Directory Traversal   │                                                                                                       │ Taint: Parameter settings[0] in the method saveSettings                                               ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:220](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Use an allowlist of safe file or URL locations and compare settings[0] against this list before       ║
║     │          │                       │    20)                                                                                                │ invoking the method java.io.File.<init>.                                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:229](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    29)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:230](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    30)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:236](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    36)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:248](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    48)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:251](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    51)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 100 │ critical │ Directory Traversal   │                                                                                                       │ Taint: Parameter settings[0] in the method saveSettings                                               ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:164](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:1 │ Use an allowlist of safe file or URL locations and compare settings[0] against this list before       ║
║     │          │                       │    64)                                                                                                │ invoking the method java.io.File.<init>.                                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:224](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Remediation suggestions:                                                                              ║
║     │          │                       │    24)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:229](file:///home/runner/work/shift │ Include these detected CHECK methods in your remediation config to suppress this finding.             ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    29)                                                                                                │  • io.shiftleft.controller.CustomerController.checkCookie                                             ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:230](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    30)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:236](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    36)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:248](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    48)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:251](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    51)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  85 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable message. Ensure the variable message  ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:21](file:///home/runner/work/shiftlef │ are encoded or sanitized before returning via HTML or API response.                                   ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:21)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:27](file:///home/runner/work/shiftlef │ Suppression:                                                                                          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:27)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:28](file:///home/runner/work/shiftlef │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:28)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:32](file:///home/runner/work/shiftlef │  • io.shiftleft.controller.SearchController.doGetSearch                                               ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:32)    │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  84 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:283](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    83)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:24](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:24)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  83 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:289](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    89)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:30](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:30)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  82 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:284](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    84)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:25](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:25)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:162](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:162)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  81 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:286](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    86)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:27](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:27)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:162](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:162)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  80 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:288](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    88)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:29](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:29)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  79 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customerId. Ensure the variable       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │ customerId are encoded or sanitized before returning via HTML or API response.                        ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:23](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:23)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  78 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:287](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    87)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:28](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:28)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╚═════╧══════════╧═══════════════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════════════╝



                             Findings Similarity Analysis for shiftleft-java-demo                             
╔══════════════════════╤════════════════════════════════════════════════════════════════════════╤════════════╗
║ Category             │ Similar Data Flows                                                     │ Finding ID ║
╟──────────────────────┼────────────────────────────────────────────────────────────────────────┼────────────╢
║ Directory Traversal  │ End: src/main/java/io/shiftleft/controller/CustomerController.java:251 │        101 ║
║                      │                                                                        │        100 ║
╟──────────────────────┼────────────────────────────────────────────────────────────────────────┼────────────╢
║ Cross-Site Scripting │ End: src/main/java/io/shiftleft/controller/CustomerController.java:281 │         84 ║
║                      │                                                                        │         83 ║
║                      │                                                                        │         82 ║
║                      │                                                                        │         81 ║
║                      │                                                                        │         80 ║
║                      │                                                                        │         78 ║
╚══════════════════════╧════════════════════════════════════════════════════════════════════════╧════════════╝


╭─────────────────────────────────────────────────────────────────────────────────────────────────── Scan Improvements for shiftleft-java-demo (java) ───────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                                                                                                                                                                        │
│  • Remediation: Review this best fix report and create a remediation config to suppress additional findings.                                                                                                                                           │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elangosenthilnathan