Commit from Elan

[elangosenthilnathan]

No description provided.

[elangosenthilnathan]

 ██████╗ ██╗    ██╗██╗███████╗████████╗ █████╗ ██╗
██╔═══██╗██║    ██║██║██╔════╝╚══██╔══╝██╔══██╗██║
██║   ██║██║ █╗ ██║██║█████╗     ██║   ███████║██║
██║▄▄ ██║██║███╗██║██║██╔══╝     ██║   ██╔══██║██║
╚██████╔╝╚███╔███╔╝██║███████╗   ██║██╗██║  ██║██║
 ╚══▀▀═╝  ╚══╝╚══╝ ╚═╝╚══════╝   ╚═╝╚═╝╚═╝  ╚═╝╚═╝




                                                                                                                    Executive Summary                                                                                                                     

Bestfix from Qwiet.AI analyzed scan #5 for the java app shiftleft-java-demo on 2024-05-30. 21 files were analyzed during this scan resulting in 12 critical and high vulnerabilities. 65 open-source dependencies were also identified in which 43 
vulnerabilities were found. Use the information in this report to mitigate the open-source and custom code vulnerabilities and to improve the scan performance.



                      OWASP Summary                       
╔════════════════════════════════════════════════╤═══════╗
║ Category                                       │ Count ║
╟────────────────────────────────────────────────┼───────╢
║ a01-broken-access-control                      │     2 ║
╟────────────────────────────────────────────────┼───────╢
║ a02-cryptographic-failures                     │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a03-injection                                  │     9 ║
╟────────────────────────────────────────────────┼───────╢
║ a04-insecure-design                            │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a05-security-misconfiguration                  │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a06-vulnerable-and-outdated-components         │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a07-identification-and-authentication-failures │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a08-software-and-data-integrity-failures       │     1 ║
╟────────────────────────────────────────────────┼───────╢
║ a09-security-logging-and-monitoring-failures   │     - ║
╟────────────────────────────────────────────────┼───────╢
║ a10-server-side-request-forgery-(ssrf)         │     - ║
╚════════════════════════════════════════════════╧═══════╝


CVSS Ratings Summary
╔══════════╤═══════╗
║ Rating   │ Count ║
╟──────────┼───────╢
║ critical │     3 ║
╟──────────┼───────╢
║ high     │     9 ║
╟──────────┼───────╢
║ medium   │     - ║
╟──────────┼───────╢
║ low      │     - ║
╚══════════╧═══════╝



                              Best OSS Fix Suggestions for shiftleft-java-demo                               
╔═══════════════════════════════════════════╤═══════════╤═══════════════╤══════════════════╤════════════════╗
║ Package                                   │ Reachable │       Version │ CVE              │ Fix Version(s) ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.springframework/spring-web            │ Reachable │ 4.3.6.RELEASE │ CVE-2024-22262   │          6.1.6 ║
║                                           │           │               │ CVE-2024-22259   │          6.1.5 ║
║                                           │           │               │ CVE-2024-22243   │          6.1.4 ║
║                                           │           │               │ CVE-2018-15756   │         6.0.19 ║
║                                           │           │               │ CVE-2016-1000027 │         6.0.18 ║
║                                           │           │               │                  │         5.3.34 ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.springframework/spring-expression     │ Reachable │ 4.3.6.RELEASE │ CVE-2023-20863   │          6.0.8 ║
║                                           │           │               │                  │         5.3.27 ║
║                                           │           │               │                  │ 5.2.24.release ║
╟───────────────────────────────────────────┼───────────┼───────────────┼──────────────────┼────────────────╢
║ org.apache.tomcat.embed/tomcat-embed-core │ Reachable │        8.5.11 │ CVE-2023-46589   │         9.0.83 ║
║                                           │           │               │ CVE-2022-42252   │         9.0.68 ║
║                                           │           │               │ CVE-2022-25762   │         9.0.45 ║
║                                           │           │               │ CVE-2021-41079   │         9.0.44 ║
║                                           │           │               │ CVE-2021-30639   │         9.0.43 ║
║                                           │           │               │ CVE-2021-25329   │         9.0.40 ║
║                                           │           │               │ CVE-2021-25122   │         9.0.37 ║
║                                           │           │               │ CVE-2020-9484    │         9.0.36 ║
║                                           │           │               │ CVE-2020-1938    │         9.0.35 ║
║                                           │           │               │ CVE-2020-17527   │         9.0.31 ║
║                                           │           │               │ CVE-2020-1745    │         9.0.30 ║
║                                           │           │               │ CVE-2020-13935   │         9.0.29 ║
║                                           │           │               │ CVE-2020-13934   │         9.0.21 ║
║                                           │           │               │ CVE-2020-11996   │         9.0.20 ║
║                                           │           │               │ CVE-2019-17563   │         9.0.17 ║
║                                           │           │               │ CVE-2019-12418   │         9.0.16 ║
║                                           │           │               │ CVE-2019-10072   │          9.0.1 ║
║                                           │           │               │ CVE-2019-0232    │      9.0.0.m21 ║
║                                           │           │               │ CVE-2019-0199    │      9.0.0.m18 ║
║                                           │           │               │ CVE-2018-8034    │         8.5.96 ║
║                                           │           │               │ CVE-2018-8014    │         8.5.76 ║
║                                           │           │               │ CVE-2018-1336    │         8.5.65 ║
║                                           │           │               │ CVE-2017-7675    │         8.5.64 ║
║                                           │           │               │ CVE-2017-5664    │         8.5.63 ║
║                                           │           │               │ CVE-2017-5651    │         8.5.60 ║
║                                           │           │               │ CVE-2017-5650    │         8.5.57 ║
║                                           │           │               │ CVE-2017-5648    │         8.5.56 ║
║                                           │           │               │ CVE-2017-12617   │                ║
╚═══════════════════════════════════════════╧═══════════╧═══════════════╧══════════════════╧════════════════╝



                                                                                                       Best Fix Suggestions for shiftleft-java-demo                                                                                                       
╔═════╤══════════╤═══════════════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════════════╗
║  ID │ Severity │ Category              │ Remediated Flow                                                                                       │ Comment                                                                                               ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 372 │ critical │ Remote Code Execution │                                                                                                       │ Taint: Parameter foo in the method doGetSearch                                                        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:21](file:///home/runner/work/shiftlef │                                                                                                       ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:21)    │ Use an allowlist for approved commands and compare the variables foo against this list in a new       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:27](file:///home/runner/work/shiftlef │ validation method. Then, specify this validation method name in the remediation config file.          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:27)    │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 365 │ high     │ Deserialization       │                                                                                                       │ Taint: Parameter objectInputStream in the method isAdmin                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:85](file:///home/runner/work/shiftleft │                                                                                                       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:85)      │ Follow security best practices to configure and use the deserialization library in a safe manner.     ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:91](file:///home/runner/work/shiftleft │ Depending on the version of the library used, this vulnerability could be difficult to exploit.       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:91)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:31](file:///home/runner/work/shiftleft │ Remediation suggestions:                                                                              ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:31)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:34](file:///home/runner/work/shiftleft │ Include these detected CHECK methods in your remediation config to suppress this finding.             ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:34)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:35](file:///home/runner/work/shiftleft │  • io.shiftleft.controller.AdminController.isAdmin                                                    ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:35)      │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/AdminController.java:36](file:///home/runner/work/shiftleft │                                                                                                       ║
║     │          │                       │    -java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/AdminController.java:36)      │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 101 │ critical │ Directory Traversal   │                                                                                                       │ Taint: Parameter settings[0] in the method saveSettings                                               ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:220](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Use an allowlist of safe file or URL locations and compare settings[0] against this list before       ║
║     │          │                       │    20)                                                                                                │ invoking the method java.io.File.<init>.                                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:229](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    29)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:230](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    30)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:236](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    36)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:248](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    48)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:251](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    51)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ 100 │ critical │ Directory Traversal   │                                                                                                       │ Taint: Parameter settings[0] in the method saveSettings                                               ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:164](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:1 │ Use an allowlist of safe file or URL locations and compare settings[0] against this list before       ║
║     │          │                       │    64)                                                                                                │ invoking the method java.io.File.<init>.                                                              ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:224](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Remediation suggestions:                                                                              ║
║     │          │                       │    24)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:229](file:///home/runner/work/shift │ Include these detected CHECK methods in your remediation config to suppress this finding.             ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    29)                                                                                                │  • io.shiftleft.controller.CustomerController.checkCookie                                             ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:230](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    30)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:236](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    36)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:248](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    48)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:251](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    51)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  85 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable message. Ensure the variable message  ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:21](file:///home/runner/work/shiftlef │ are encoded or sanitized before returning via HTML or API response.                                   ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:21)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:27](file:///home/runner/work/shiftlef │ Suppression:                                                                                          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:27)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:28](file:///home/runner/work/shiftlef │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:28)    │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/SearchController.java:32](file:///home/runner/work/shiftlef │  • io.shiftleft.controller.SearchController.doGetSearch                                               ║
║     │          │                       │    t-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/SearchController.java:32)    │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  84 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:283](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    83)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:24](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:24)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  83 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:289](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    89)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:30](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:30)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  82 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:284](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    84)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:25](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:25)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:162](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:162)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  81 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:286](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    86)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:27](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:27)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:162](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:162)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  80 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:288](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    88)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:29](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:29)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  79 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customerId. Ensure the variable       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │ customerId are encoded or sanitized before returning via HTML or API response.                        ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:23](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:23)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
╟─────┼──────────┼───────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────╢
║  78 │ high     │ Cross-Site Scripting  │                                                                                                       │ This is a security best practices type finding. Taint: Variable customer1. Ensure the variable        ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:287](file:///home/runner/work/shift │ customer1 are encoded or sanitized before returning via HTML or API response.                         ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    87)                                                                                                │ Suppression:                                                                                          ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:297](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │ Specify the sink method in your remediation config to suppress this finding.                          ║
║     │          │                       │    97)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:20](file:///home/runner/work/shiftleft-java-demo/s │  • io.shiftleft.controller.CustomerController.debug                                                   ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:20)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:28](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:28)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:19](file:///home/runner/work/shiftleft-java-demo/s │                                                                                                       ║
║     │          │                       │    hiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:19)                              │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:296](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    96)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:306](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:3 │                                                                                                       ║
║     │          │                       │    06)                                                                                                │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:159](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:159)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:163](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:163)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:161](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:161)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/model/Customer.java:160](file:///home/runner/work/shiftleft-java-demo/ │                                                                                                       ║
║     │          │                       │    shiftleft-java-demo/src/main/java/io/shiftleft/model/Customer.java:160)                            │                                                                                                       ║
║     │          │                       │  • [src/main/java/io/shiftleft/controller/CustomerController.java:281](file:///home/runner/work/shift │                                                                                                       ║
║     │          │                       │    left-java-demo/shiftleft-java-demo/src/main/java/io/shiftleft/controller/CustomerController.java:2 │                                                                                                       ║
║     │          │                       │    81)                                                                                                │                                                                                                       ║
╚═════╧══════════╧═══════════════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════════════╝



                             Findings Similarity Analysis for shiftleft-java-demo                             
╔══════════════════════╤════════════════════════════════════════════════════════════════════════╤════════════╗
║ Category             │ Similar Data Flows                                                     │ Finding ID ║
╟──────────────────────┼────────────────────────────────────────────────────────────────────────┼────────────╢
║ Directory Traversal  │ End: src/main/java/io/shiftleft/controller/CustomerController.java:251 │        101 ║
║                      │                                                                        │        100 ║
╟──────────────────────┼────────────────────────────────────────────────────────────────────────┼────────────╢
║ Cross-Site Scripting │ End: src/main/java/io/shiftleft/controller/CustomerController.java:281 │         84 ║
║                      │                                                                        │         83 ║
║                      │                                                                        │         82 ║
║                      │                                                                        │         81 ║
║                      │                                                                        │         80 ║
║                      │                                                                        │         78 ║
╚══════════════════════╧════════════════════════════════════════════════════════════════════════╧════════════╝


╭─────────────────────────────────────────────────────────────────────────────────────────────────── Scan Improvements for shiftleft-java-demo (java) ───────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                                                                                                                                                                        │
│  • Remediation: Review this best fix report and create a remediation config to suppress additional findings.                                                                                                                                           │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

[github-actions]

Checking analysis of application LaBrea against 4 build rules.

Using sl version 0.9.2509 (32315c47fd2cff75fe89e7cc80b6ac271119d689).

Checking findings on scan 2.

Results per rule:

• No critical or high SAST findings: FAIL
  (12 matched vulnerabilities; configured threshold is 0).

  First 5 findings:

  ID	CVSS	Rating	Title
  93	9.0	critical	Remote Code Execution: Code Injection Through Attacker-controlled Data via foo in SearchController.doGetSearch
  94	9.0	critical	Directory Traversal: Attacker-controlled Data Used in File Path via request in CustomerController.checkCookie
  95	9.0	critical	Directory Traversal: Attacker-controlled Data Used in File Path via request in CustomerController.saveSettings
  72	8.0	high	Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via foo in SearchController.doGetSearch
  73	8.0	high	Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via customerId in CustomerController.debug

  Severity rating	Count
  Critical	3
  High	9
  Medium	0
  Low	0

  Category	Count
  Cross-Site Scripting	8
  Directory Traversal	2
  Remote Code Execution	1
  Deserialization	1

  OWASP 2021 Category	Count
  A03-Injection	9
  A01-Broken-Access-Control	2
  A08-Software-And-Data-Integrity-Failures	1

• Allow 0 secrets: FAIL
  (7 matched vulnerabilities; configured threshold is 0).

  Findings:

  ID	CVSS	Rating	Title
  65	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  66	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  67	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  68	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  69	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  70	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config
  71	0.0	none	Hardcoded Sensitive Secrets/Credentials in Config

  Severity rating	Count
  Critical	0
  High	0
  Medium	0
  Low	0

  Category	Count
  Secret	7
  User	5
  Password	5
  URI	1
  Infra	1
  IaaS	1
  Amazon	1
  Access ID	1

• No reachable SCA findings: FAIL
  (43 matched vulnerabilities; configured threshold is 0).

  First 10 findings:

  ID	CVSS	Rating	CVE	Title
  310	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  235	9.8	critical	CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insec…
  245	9.8	critical	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as ha…
  248	9.8	critical	CVE-2017-5651	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing.…
  295	9.8	critical	CVE-2018-1270	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over …
  303	9.8	critical	CVE-2018-1275	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over …
  312	9.8	critical	CVE-2016-1000027	Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. De…
  234	9.1	critical	CVE-2017-5648	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.R…
  309	8.8	high	CVE-2020-5421	In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessioni…
  262	8.6	high	CVE-2022-25762	If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apac…

  Severity rating	Count
  Critical	8
  High	35
  Medium	0
  Low	0

• No critical or high container findings: pass
  (0 matched vulnerabilities; configured threshold is 0).

3 rules failed.